General Disclaimer 


One or more of the Following Statements may affect this Document 


• This document has been reproduced from the best copy furnished by the 
organizational source. It is being released in the interest of making available as 
much information as possible. 


• This document may contain data, which exceeds the sheet parameters. It was 
furnished in this condition by the organizational source and is the best copy 
available. 


• This document may contain tone-on-tone or color graphs, charts and/or pictures, 
which have been reproduced in black and white. 


• This document is paginated as submitted by the original source. 


• Portions of this document are not fully legible due to the historical nature of some 
of the material. However, it is the best reproduction available from the original 
submission. 


Produced by the NASA Center for Aerospace Information (CASI) 




w 


NASA CR- 
MCR83 645 
Contract NAS8 34938 


(t»ASA-Ch- 170*74) t'Gkihri S U LS YS'I tr, A GiuflATlCli 
SIUliX final fee port (Aar tin AdLietta 
Aecospdce) lOl p iiC Al ->/.*U AO I CSC L 10b 


Final 

Report 


£iti4- 1 7fado 


Uiicia s 

GJ/44 10<.bO 


November 1983 






MCR-83-645 
Contract NAS8-34938 


Final 

Report 


November 1983 


POWER SUBSYSTEM 
AUTOMATION STUDY 


Prepared by: 

M. S. Imamura, R. L. Moser, and M. Veatch 
for: 

National Aeronautics and Space Administration 
George C. Marshall Space Flight Center 
Marshall Space Flight Center, Alabama 35812 
Contract NAS8-34938 


MARTIN MARIETTA AEROSPACE 
DENVER AEROSPACE 

P.O. Box 179 
Denver, Colorado 80201 


FOREWORD 


This study was conducted by the Power Systems Section of Martin Mari- 
etta Denver Aerospace. The program manager was Mr. Matthew S. Imamura. 

Study support personnel and their areas of contribution are: 

Robert Moser Power Processing, Subsystem, and Automation 

Marty Veatch Power Sources and Power Distribution Devices 

Robert Richards Energy Storage 

Eric Dietrich Artificial Intelligence and Expert Systems 

Matthew Imamura Subsystems, Systems, and Automation 



ACKNOWLEDGEMENTS 



The MFSC Contract Officer Representative for this work was Mr. David 
Aichele. His technical guidance to the study, along with discussions 
and reviews by the following HQ and MSFC technical personnel, is grate- 
fully acknowledged: 

m 

Mr. Simon Manson - Project and Technology Review 
MSFC 

Mr. Walter Frost - Program Directions and Artificial Intelligence 

Technology 

Mr. Jimmy Miller - Power 

Mr. Roy Lanier - Power 

Mr. James Graves - Power 

Mr. Audie Anderson - Software 


! 

* 

i 

I 

jr 

* 



iii 


ABSTRACT 


Martin Marietta Denver Aerospace undertook a study to develop a method 
for analyzing, selecting, and implementing automation functions for 
multihundred-kW photovoltaic power systems intended for a manned space 
station. The study involved identification of generic power-system 
elements and their potential faults, definition of automation functions 
and their resulting benefits, and partitioning of automation functions 
between power subsystem, central spacecraft computer, and ground 
flight-support personnel. All automation activities were categorized 
as data handling, monitoring, routine control, fault handling, planning 
and operations, or anomaly handling. Incorporation of all these class- 
es of tasks, except for anomaly handling, in power subsystem hardware 
and software was concluded to be mandatory to meet the design and oper- 
ational requirements of the space station. The key drivers are long 
mission lifetime, modular growth, high-performance flexibility, a need 
to accommodate different electrical user-load equipment, onorbit assem- 
bly/maintenance/servicing, and potentially large number of power sub- 
system components. A significant effort in algorithm development and 
validation is essential in meeting the 19b7 technology readiness date 
for the space station. 

Artificial intelligence technology was briefly assessed, specifically 
with regard to the applicability of expert systems to the automation 
functions defined for the power subsystem. Expert-system software 
techniques have the potential of vast improvement over traditional ap- 
proaches. Possible onboard applications are for electrical consumables 
management and battery-operations management, which are system-level 
tasks. Potential applications for ground use are in non-real-time 
fault diagnosis, anomaly assessment, and mission planning. An indepth 
research investigation is desirable to determine the range and domain 
of artificial-intelligence technology and the resulting hardware and 
software needs for onboard spacecraft use. 


iv 


GLOSSARY 


ADC 

Analog-to-Digital Converter 

AgZn 

Silver-Zinc 

AI 

Artificial Intelligence 

AMO 

Air Mass Zero 

APSM 

Automated Power System Management 

AU 

Astronomical Unit 

BOL 

Beginning of Life 

CDS 

Control and Display Subsystem 

CMD 

Command 

CPU 

Central Processing Unit 

CPV 

Common Pressure Vessel 

CTS 

Communication and Tracking Subsystem 

CV 

Charge Voltage 

dc-dc 

Direct Current to Direct Current 

dc-ac 

Direct Current to Alternating Current 

DD 

Detailed Design 

DDTE 

Design, Development, Test, and Evaluation 

DMS 

Data Management Subsystem 

DOD 

Depth of Discharge 

DV 

Discharge Voltage 

EC/LSS 

Environmental Control/Life-Support Subsystem 

EMS 

Energy Management Subsystem 

EOCV 

End-of- Charge Voltage 

EODV 

End-of-Discharge Voltage 

EODP 

End-of-Discharge Pressure 

EOL 

End of Life 

EPS 

Electrical Power Subsystem 

ESR 

Equivalent Series Resistance 

EVA 

Extravehicular Activity 

GaAs 

Gallium Arsenide 

GEO 

Geosynchronous Equatorial Orbit 

GNCS 

Guidance, Navigation, and Control Subsystem 
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GSE 

Ground Support Equipment 
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Goddard Space Flight Center 


h 2 o 2 

Hydrogen-Oxygen 



Current at Maximum Power Point 


IPV 

Individual Pressure Vessel 


X sc 

Short Circuit Current 


IUS 

Interim Upper Stage 


JSC 

Johnson Space Center 


LEO 

Low Earth Orbit 


LiSOCl 2 

Lithium Thiony 1-Chloride 


MSFC 

Marshall Space Flight Center 


NiCd 

Nickel-Cadmium 
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Nickel-Hydrogen 


P 3 

Programmable Power Processor 


PD 

Preliminary Design 
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Maximum Power 
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Propulsion Subsystem 
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Power Subsystem Automation Study 
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PV 

Photovoltaic 


RF 

Recharge Fraction 


RFC 

Regenerative Fuel Cell 


RPC 

Remote Power Controller 


S/C 

Spacecraft 


SEP 

Solar Electric Propulsion 


SOC 

State of Charge 


SOH 

State of Health 


SCATHA 

Spacecraft Charging at High Altitude 


Si 

Silicon 


SR 

Series Regulation 


SW 

Switch 


TCS 

Thermal Control Subsystem 


TM 

Telemetry 


V 

oc 

Open Circuit Voltage 


VO 

Viking Orbiter 
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1.0 


EXECUTIVE SUMMARY 


This chapter presents an overall summary of the study results. Chapter 
2.0 provides the objectives, guidelines, and background information for 
this study. Chapters 3.0 through 7.0 follow with detailed results of 
the study, arranged in order of the five study tasks. Chapter 8.0 sum- 
marizes the artificial intelligence technology and its status, and dis- 
cusses the potential applicability of the expert system techniques 
among the power subsystem automation functions identified. 

1.1 INTRODUCTION 

A major purpose of the Space Station is to implement new designs, con- 
cepts, and methods that will reduce life-cycle costs, extend operation- 
al life, and yield improved system performance. The resulting power 
subsystems must therefore be flexible, reliable, efficient, control- 
lable, and most of all, employ a high degree of automation in their 
operation. To this end, automation technologies are expected to make 
slgnlf and important contributions to the development and afford- 

able operation of these missions. Therefore, the electrical power sub- 
system (EPS) must ensure, in the event of a failure, that the onboard 
power capability will degrade gracefully while providing for some mini- 
mum set of useful services. The ultimate power-subsystem configuration 
would be one that protects against failures and reconfigures itself in 
the event of a failure so as to continue normal operations. 

The primary objective of the NASA-MSFC study undertaken by Martin Mari- 
etta Denver Aerospace is to assess and trade off the automation tech- 
nology required to support a raultihundred-kW power subsystem in orbit. 
This study also is intended to identify the benefits that can be 
achieved by a logical and planned application of automated and autono- 
mous functions. The basic study guidelines are: 

1) Generic photovoltaic power system in the 100- to 250-kW range; 

2) Manned and unmanned space station operation; 
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3) 10-year life. 


It is intended that the automation concepts Identified will signifi- 
cantly reduce the ground and onboard operational burden; accommodate 
near-term hardware- technology limitations; and reduce the development, 
operations, and resupply costs of the space station. 

The following definitions of automation and autonomy apply to this 
study: 

Automation - The performance of a function independently and in a man- 
ner invisible to the human user or operator; 

Autonomy - The application of automated functions without external 
human Intervention for a specified period of time. 

There are two basic ways of implementing automation. One is to use 
hardwired analog circuits and discrete devices. The other is to use a 
programmable controller or computer. The automation of various moni- 
toring and control tasks enables an autonomous operation. As the dura- 
tion of autonomous period increases, so does the complexity of automa- 
tion. Autonomy levels of a spacecraft developed by JPL for the Air 
Force (Ref 1)* were used in this study for the purpose of demonstrating 
a method for automation assessment and implementation. The duration of 
autonomy can be described as (1) operating for x days without ground 
intervention and no degradation, or (2) operating for y days without 
ground intervention and under a permissible degradation. 

The study consisted of the following five tasks: 

1) Characterization and classification of power subsystem; 

2) Definition of faults and factors affecting electrical power subsys- 
tem (EPS) performance; 


*The number in parentheses is the source reference listed in Chapter 10. 
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3) Definition of automation task candidates; 


4) Partitioning of automation functions; 

5) Development of automation assessment and implementation method. 

The results of each of the above Casks are summarized in the following 
sections. Appendix A contains the contractual statement of work for 
these study tasks. 

1.2 CHARACTERIZATION AND CLASSIFICATION OF POWER SUBSYSTEM 

As shown in Figure 1.2-1, a generic photovoltaic power subsystem was 
defined by identifying the most promising components under each of the 
following major subsystem elements: (1) array, (2) power conditioning, 

(3) batteries, and (4) power distribution. Other elements such as gim- 
bals, auxiliary power sources, and sensors/signal-conditioning circuits 
were also included. To provide the basis for definition of EPS faults 
and automation candidates, typical subsystem configuration arrangements 
were also identified. These arrangements fall into two basic cate- 
gories, series regulation and direct-energy-transfer types (Fig. 1.2-2 
and 1.2-3). The power-subsystem interfaces with all components that 
consume electrical power and with subsystems that are involved in moni- 
toring and control functions. Figure 1.2-4 shows these interfaces, 
which are defined in terms of the major space-station disciplines. 
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DEFINITION OF FAULTS AND FACTORS AFFECTING POWER-SUBSYSTEM PERFORMANCE 


The basis for defining the automation function was the Identification 
of all EPS and non-EPS faults and activities that could affect the EPS 
or prevent it from performing its intended functions. All major faults 
were identified for each generic subsystem components listed in Figure 
1.11-1 except flywheel energy storage and computer-related devices and 
circuits. A fault may be defined as the interruption of service at one 
or more levels of the space station's functional architecture. Specif- 
ic levels are: 

Piece Part 

Assembly 

- EPS 

- System 

Table 1.3-1 is a summary of the major failure and degradation modes for 
each component. A summary of other subsystems and the failure that can 
affect the EPS is shown in Table 1.3-2. 
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Table 1.3-1 Summary of Major EPS Failure Degradation Modes 
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Table 1.3-2 Other Subsystems and Activities that Affect EPS Operation 


Subsystem 

failure/ Activity 

Effects 

Structures 

Modular Buildup 

Modular EPS Required 

Thermal Control 

Impaired Capacity to Manage Waste 
Heat 

Reduced Power 

User Loads (All 
Subsystems and 

Shorts or Overloads 

Bus Undervoltage 

Payloads) 

Large Differences in Day and Wight 
Power at Buses 

May Reduce Bus Power; 
Excessive Battery DOD 

Attitude Control 

- Gravity Gradient Attitude Mode 

- 1’ailure to Maintain Required Stable 
Attitude Because of Unknowns in Con- 
trolling Large, flexible Structures 

- Reduced Power 

- Reduced Power 

Command 

- Degraded TM Data Transmission 

- Loss of CPC Power 

- Reduced information 

- Reduced Automation 
Capability 

Data 

Software Maintenance 

Reduced Power 

EPS/Crew Interlace 

Crew Commands, Displays, New Crew, 
Interface Ambiguity, Mistakes 

P>educed Power; 
Unintended Shutdown 

EPS Ground Operations 

Power Management Configuration 
History; Audit Trail or Automated 
Activities; Training; Commands/ 
Displays 

Reduced Power 


1.4 DEFINITION OF AUTOMATION FUNCTIONS 

The ultimate objective is to produce a spacecraft that is fault toler- 
ant and able to perform routine health and maintenance functions with- 
out ground intervention. To this end, faults and activities identified 
for the generic power subsystem were used as a starting point. Specif- 
ic fault correction and routine health and maintenance functions were 
then identified. All specific automations were categorized under fol- 
lowing classes: data handling, monitoring, routine control, planning 

and operations, and anomaly handling. A generalized list of benefits 
was developed (Tables 1.4-1 and 1.4-2). An example of the analysis 
applied to faults for a dc/dc converter is shown in Table 1.4-3. Table 
1.4-4 lists specific examples of automation tasks for monitoring, rou- 
tine control, and mission operations and planning. 


( 
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Table 1.4-1 

A List of Generic Automation Functions 
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Data Handling 

- Acquisition 

- Processing 

- Storage 

Monitoring 

- Operational State 

- State of Health 

- Performance Analysis 

- Trend Analysis 

Fault Handling 

- Fault Detection (Caution/Warning/Alarm 
Limit Check) 

- Fault Isolation 

- Fault Correctigh* 

Control 

Planning and Operations 
Anomaly Handling 


Table 1.4-2 

A Generalized List of Potential Benefits from EPS 
Automation 

- Increased Life 

- Increased Reliability, Maintainability, and 
Safety 

- Improved Performance 

- Reduced Cost 

- Subassembly 

- Subsystem 

- Spacecraft 

- Launch Operations 

- Flight Operations 

- Inflight Fault Detection, Maintenance, and Servicing 

- DDTE (Design, Development, Test, and Evaluation) 

- Ground Support Personnel Labor 

- Ground Support Equipment (Prelaunch 
and Flight Operations) 

- C&DH Subsystem 

- Thermal-Control Subsystem 

- Life-Support Subsystem 

- Crew Training Simulator/C&D Subsystem 

- Reduced Maintenance 

- Able to Overcome Technology Limitations 

- Reduced Astronaut/Power Subsystem Interaction 

- Reduced Number of Ground-Support Personnel 

- Reduced New Subsystem Familiarization/ 

Training Time 

- Reduced PV Array Size and Weight 

- Reduced Battery Size and Weight 

- Reduced Power Conditioning Size and Weight 

- Minimized Human Error 

- Allows Space Operation without Crew 

- Provides Real-Time Short-Response Control 

- Reduced Software/Hardware Interfaces to C&DH 
Subsystem 

- Improved Security and Survivability 
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Table 1.4-3 Do/Do Converter Failure Modes , Automation Candidates , and Benefits 
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*See Table 1-3 
**See Table 1-4 














Table 1.4-4 Examples of Monitoring, Control , 
and Mission-Operation Automation Tasks 
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Monitoring Tasks 

Operational State Determination 

- Number and Identity of Components Online, Offline, or Failed 

- Relay Position and Command State 

State of Health 

- Solar Array, Batteries, Power Conditioning, Bias (Housekeeping) Power Supplies 

- Built-in Test and Checkout 

Performance and Trend Analyses 
Solar Array 

- Normalized Peak Power (NPP) ; Available Average Power/Daytime versus Orbit Number 

- NPP and I Degradation 

- Minimum, Average, and Maximum Temperature 
Batteries 

- SOC, DOD, EODV, and EQCV Limit versus Orbit Number 

- Average Temperature during Charge and Discharge versus Orbit Number 

- Total Number of Cycles above X%, DOD, T% DOD 

- Number of Cycles Since Last Reconditioning 

- Battery Recharge Fraction versus Orbit Number 

Bus Power Capability (Orbital Average, Average Power Margin) 

Bus Load (Day, Night, and Orbit Average) 

Converters and Inverters 

- Normalized Efficiency 

- Output Impedance 

Load Equipment 

- Input Impedance 

Control Task 

Solar Array 

- Orientation Control 

- Voltage Regulation 

Batteries 

- Charge and Discharge Control 

- Spare Module or Cell Management 

- Reconditioning 

- Redundancy Management 

Converters 

- Load-Sharing Control 

- Redundancy Management 

Imbedded Controller (e.g., P 3 Converter) 

- Mode Control (Voltage Regulator or Battery Charger) 

- Internal Fault Detection and Isolation 

- Overload Handling 

- Output Voltage Programming 

Planning and Operations Task 

Electrical Consumables Management 

- State-of-Health Prediction 

- Operational State Determination 

- Energy-Balance Calculation 

- Bus Power Capability and Power-Margin Prediction 

- Load Profile Determination 

- Power versus Time 

- Day, Night, Orbital Average 

- Load Equipment Timeline versus Power Capability Analysis 

- Mission Timeline Compatibility Analysis 

- Load Equipment Sequence-and-Command Generation 
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1.5 


PARTITIONING OF AUTOMATION FUNCTIONS 


The basic purpose of this task Is to develop a method for partitioning 
the automation candidate between the system, power subsystem, and 
ground. The partitioning method used is as follows. First, the time 
criticality of the function is determined. From this analysis, func- 
tions can be separated into time-critical functions that require dedi- 
cated hardware, such as bus overvoltage; and functions that do not re- 
quire the fast response time and are candidates to be performed by a 
computer. Next, the location where the task is to be performed and the 
resources to do the task are identified. A determination is then made 
of the external interface impacts — Are the impacts totally within the 
EPS? Or are these Impacts outside the EPS? General criteria estab- 
lished for partitioning the automation functions are as follows: 

Dedicated hardware is to be located in the EPS component; 

Fault detection, isolation, and correction can be partitioned to 
different levels; 

To be partitioned to the EPS, the fault must originate in the EPS; 
the correction resources should be in the EPS; and there should be 
no impacts outside the EPS. 

Finally, the last step consists of considering each function parti- 
tioned to the EPS, the space station system, and the ground, and pro- 
viding rationale for or against each subsystem’s partitioning. Exam- 
ples of partitioning of automation functions between the onboard and 
ground are shown in Table 1.5-1. Note that partitioning can be facili- 
tated in terms of where sensing, analyzing, and acting should best be 
performed. 
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Table 1.5-1 Partitioning of Automation Functions 




Partitioning 


Automation Function 


Sense 

Analyze 

Act 

Rationale/Comments 

Monitoring 

- Operational State 

- Performance and Trend 


EPS 

EPS 

EPS 


- Solar Array and Batteries 


EPS 

EPS 

EPS 


- Power Conditioning 


EPS 

EPS 

EPS 

Other Subsystems Involved; 

- Load Equipment 

(A) 

EPS 

EPS 

EPS 

Data Available to SYS 


(B) 

EPS 

SYS 

EPS 

Simplest to Implement 

- Bub Power Capability 

(A) 

EPS 

EPS 

EPS 



(B) 

EPS 

SYS 

EPS 



(C) 

EPS 

Ground 

EPS 


Control 

- Solar-Array Orientation 

(A) 

ACS 

ACS 

EPS 

Past-Practice Data 


<B) 

SYS 

SYS 

EPS 

Available to SYS; 


(C) 

EPS 

EPS 

EPS 

Requires SYS Concurrence 

- Solar-Array Voltage Regulation 


EPS 

EPS 

EPS 

- Battery Charge and Discharge 


EPS 

EPS 

EPS 


Control 

- Battery Reconditioning 

(A) 

EPS 

EPS 

EPS 

Requires SYS Concurrence; 


(B) 

EPS 

SYS 

EPS 

May Require Load Management 


(C) 

EPS 

Ground 

EPS 

Past Practice 

- Battery Spare-Cell/Module 


EPS 

EPS 

EPS 


Management 

- Redundancy Management 

(A) 

EPS 

EPS 

EPS 



(B) 

EPS 

SYS 

EPS 

Whenever Other Subsystems Are 
Affected 

- Converter Loadsharing Control 


EPS 

EPS 

EPS 


Planning and Operations 
- Electrical Consumables Management 

(A) 

EPS 

Cround 

EPS 

Past Practice (Skylab); 


(B) 

EPS 

SYS 

EPS 

Other Subsystems Involved 


(C) 

EPS 

EPS 

EPS 




Legend : Note : 

SVS System (A), (B), (C) Are Options 

ACS Attitude-Control Subsystem 
EPS Electrical Power Subsystem 


1.6 METHOD FOR AUTOMATION ASSESSMENT AND IMPLEMENTATION 


The first step is to define a specific study area such as how to auto- 
mate the correction of overtemperature faults in batteries. Three 
basic inputs required for the study are: 

1) System-Level Criteria 

a) Space station autonomy/automation requirements, including 
autonomy level, 


b) Reliability, maintenance and safety requirements; 












2) Subsystem-Level Criteria 


a) Functional requirements and description, 

b) Subsystem Interfaces, 

c) Component functional requirements; 

3) Mission Operations 

a) Man-machine interface, 

b) Flight-controller functions (i.e. , ground crew), 

c) Astronaut/subsystem operational criteria and constraints. 

The autonomy level is used to prioritize automation candidates and aid 
In partitioning automation functions between the ground and the Space 
Station. Reliability requirements are used to categorize faults and to 
aid in selecting a fault-correction option. Mission-operations criter- 
ia are used to define specific automation functions needed for orbital 
operations. 

Factors to be analyzed and defined in a detailed assessment of the 
automation function are: 

1) Impact; 

2) Fault category; 

3) Fault correction options; 

4) Benefits; 
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5) Time-criticality; 


6) Basic implementation, hardware or software, 

Basic technical elements in NASA's program development usually consist 
of Phase A (planning, conceptual requirements definition, and design), 
Phase B (preliminary requirements definition and design), and Phases C 
& D (detailed design, fabrication, and integration; launch operations; 
mission operations). It is assumed that Space Station-level autonomy/ 
automation and reliability requirements will be addressed in each of 
these program phases , and their details will increase the program 
phases' progress. The method outlined here depends to a large extent 
on the system-level requirements available. Therefore, the extent to 
which automation assessment can be done at the subsystem level would be 
a function of level of details available at the station level. It Is 
logical then to assume that the designers, especially during Phases B, 
C, and D, would have access to top-level specifications and design-cri- 
teria documents covering not only autonomy/ automation requirements, but 
also other high-level functional criteria. 

1.7 ARTIFICIAL INTELLIGENCE (AI) AND EXPERT SYSTEMS 

1.7.1 Al Technology 

Artificial intelligence is that branch of computer science concerned 
with the design and implementation of programs that make complicated 
decisions, learn, or become more adept at making decisions, interact 
with a man in a natural way. and, in general, behave in a manner typi- 
cally considered the mark of intelligence. 

Intelligence is to be understood not as a property that, for example, 
gifted mathematicians possess, but rather as a property all men and 
some animals possess. Intelligence, in this sense, is the ability to 
understand and process large amounts of information. It is the ability 
to meet and cope with novel situations, to comprehend the interrela- 
tionships between facts and concepts, and to generate new concepts and 
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relationships from those already known (i.e., already in the data 
base). The artificiality of the intelligence means merely that the 
intelligence is achieved by means of technology. 

Scientific research done in AI covers a large area of theoretical top- 
ics such as knowledge representation, knowledge acquisition, problem 
solving and search, vision, theorem proving, and natural language. 

Though each one of these topics can be researched from the human-abil- 
ity perspective, i.e., by asking how a man represents knowledge, ac- 
quires knowledge, solves problems, sees objects, communicates, etc, 
researchers in AI are concerned with implementing the given ability in 
computers. AI is not only a theoretical enterprise, it has definite 
and robust applications. The primary concern in the applications arena 
is the design and implementation of expert systems and natural language 
interfaces. 

1.7.2 What Is An Expert System? 

An expert system is an intelligent computer program that embodies the 
knowledge of human experts in a particular domain of expertise. Expert 
systems recognize situations, derive conclusions, make decisions based 
on what they recognize, and recommend corrective and directive ac- 
tions. All of this is done with a competence comparable to that of 
human experts. Figure 1. 7.2-1 illustrates the basic components of an 
expert system. It contains a knowledge base, a rule base, and an in- 
ference engine. The knowledge base (sometimes called working memory) 
stores the information (data) on which the expert system operates. The 
knowledge base is constantly updated as data are added or deleted. The 
rule base is the component that gives the expert system its expert com- 
petence — that is, the ability to make decisions, recommend actions, etc. 




Figure 1.7. 2-1 Basic Components of an Expert System 

The inference engine’s job is to execute various rules depending on the 
contents (data elements) of the knowledge base. Conceptually, the in- 
ference engine's algorithm is a search and pattern match. It scans the 
rules, efficiently searching for a rule whose antecedent (the IF part) 
matches the present state of the world, i.e., the facts in the present 
knowledge base. If a match is found, the consequent of the rule (the 
THEN part) is executed. The actions can be anything from querying or 
advising a human user to performing a real-world action, such as up- 
linking commands to a satellite or moving a robot arm, to manipulating 
its knowledge base or rule set and modifying the behavior of the expert 

H i 

system itself. 


1.7.3 Natural Language Interface 


It is usual to have a natural language interface to facilitate the use 
of the expert system. A natural language interface is a computer pro- 
gram that allows an end user to interact with an applications program 
using a "natural" language such as English rather than special menus or 
special-purpose languages such as FORTRAN for programming, RAMIS for 
data-base queries, or JOVIAL for command and control. A key advantage 
to using a natural language interface rather than a more conventional 
interface is ease of learning and use. Because English is used, no 
special languages must be learned. Because its use is an extension of 
a person's normal communication skills, a natural language interface 
can often be a highly effective way to interact with a computer program. 
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1.7.4 Expert System Applicability 

Four considerations must be taken into account when deciding whether an 
activity warrants using an expert system. These four are applicable to 
a wide variety of domains and find ready application in the area of 
automated power subsystems. The reader is referred to other publica- 
tions (Ref 2 and 3) for a discussion of expert systems. 

A given candidate for automation warrants considering the use of an 
expert system if it: 

1) Is to be used for possible control applications, for non-real-time 
processing, or where very slow response is required; 

2) Must process large amounts of information; 

3) Requires nonalgorithmic , heuristic problem solving; 

4) Requires a high-level, human-like decision; 

5) Is such that the software requires frequent modification as a re- 
sult of changing performance characteristics, and operating criter- 
ia and constraints. 

Another discriminator is complexity and how the tasks were performed in 
the past. Simple tasks that are well understood and have algorithmic 
solutions are not good candidates for expert-system solution. If the 
task is complex enough that in the past it could only be performed by a 
recognized expert, or group of experts, then the task is a good candi- 
date for automation by expert-system software. 

The following functions were identified as good candidates for automa- 
tion by expert-systems software: 
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1) Battery operations management (as contrasted with routine charge/ 
discharge control and protection); 

2) Electrical consumables management; 

3) Trend analysis; 

4) Fault analysis (fault detection and diagnosis only and not correc- 
tive actions); 

5) Anomaly handling. 

In the past, the computer has been used to maintain a data base and to 
plot data on request, but a man was required to interpret the data and 
initiate corrective action. This is an area where expert-system soft- 
ware could be used to replace some of the human experts. Complex 
faults that would require tree searching using algorithmic software 
could be replaced by the heuristic approach. Consumables management 
could be done with algorithmic software, but there may be benefits in 
development time and ease of modifications if expert system software 
were used because of the dynamic natures of power management and load 
management. In the past, an anomaly has occurred when there was no 
preprogrammed, algorithmic response to a situation. A group of experts 
would be assembled to analyze the data, propose experiments, and deduce 
a response. Many types of faults have similar traits. Anomaly han- 
dling and some types of faults therefore appear to be a fertile area 
for an indepth assessment of expert-system applicability. 

1.8 CONCLUSIONS AND RECOMMENDATIONS 

The significant conclusions and recommendations of the study are as 
follows: 

1) To meet basic station objectives and goals presently defined in the 
NASA Space Station Definition Book, all power subsystem automation 
candidates defined in this study, except for anomaly handling, must 
be implemented to a varying degree of automation. 
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2) Specific functions that have immediate high payoffs for onboard 
applications are: 

a) Data Acquisition, Processing, and Storage, 

b) State of Health Monitoring, 

c) Built-in Test and Checkout, 

d) Fault Detection, Isolation, and Correction, 

e) Performance and Trend Analysis, 

f) Integrated Array/Battery Controller and Load Management (Space 
Station Level), 

g) Electrical Consumables Management (Space Station Level) . 

Automation of any combination of the above functions (a through g) 
will have a significant beneficial effect on mission-operations 
efforts on the ground. A detailed study is recommended to deter- 
mine the effects of onboard automation of monitoring functions on 
ground activities such as failure detection, consumables manage- 
ment, and crew and flight-controller training. 

3) A key driver in when and what to automate in the subsystem is 
spacecraft autonomy level, which must be defined at the program 
level. 

4) The best way to partition an automated activity between the EPS, 
spacecraft system, and ground is to first define each subtask 
required to be performed, and then assign each subtask to EPS, sys- 
tem, and ground, in terms of: 

a) Sensing, 
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b) Analyzing, 


c) Acting; 

5) For real-time control consideration, the principal driver in hard- 
wired- versus-software (i.e., using digital computer) trade is the 
speed requirement for implementing that control function. There- 
fore, in general, all offline or non-real-time tasks such as moni- 
toring, performance analysis, and fault diagnosis that require slow 
response and are not in the control loop, can be done with a digi- 
tal computer. 

6) The best onboard-application candidates for expert systems for any 
of the power automation functions appear to be for electrical-con- 
sumables management and battery-operations management. Potential 
ground applications are in non-real-time fault assessment and mis- 
sion planning. An indepth research investigation is desirable and 
highly recommended to determine: 

a) The range and domain of its applicability to power-system con- 
trol functions; 

b) Adequacy of AI language for onboard use; 

c) Computer hardware (speed, memory) required to support expert- 
system software. 

7) A significant effort in engineering-algorithm development and vali- 
dation is essential in meeting the 1987 technology-readiness date. 
There are many implementation approaches to each automation func- 
tion because they are done by software. Thus, future efforts in 
algorithm development must include optimization processes with sim- 
plicity and reliability in mind. It should be emphasized that al- 
gorithm development also is necessary to permit a detailed design 
of any expert-system software such as that for electrical consum- 
ables and battery management. 
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2.0 


INTRODUCTION 


2.1 OBJECTIVES AND SCOPE 

The primary objective of the study was to assess automation technology 
required to support a multihundred-kW photovoltaic power subsystem for 
space station and platforms. To do this, the following five subtasks 
were identified in the statement of work (see Appendix A): 

Task 1 - Characterize and Classify a Generic Power Subsystem 

- Task 2 - Define Faults and Activities That Could Affect Power Sub- 
system Operation 

Task 3 - Define Candidate Automation Tasks 

Task 4 - Partition Automation Tasks between the EPS, Space Station 
(Central Computer), and Ground 

- Task 5 - Develop Method for Assessing and Implementing Automation 
Tasks 

A secondary objective of this study was to evaluate artificial intelli- 
gence technology and identify its potential role in power subsystem 
automation . 

2.2 STUDY GUIDELINES 

The following study guidelines were used: 

- Power Subsystem Type: Photovoltaic/Battery 

Power Level: Multihundred-kW Range 

- Modular Design 
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Lifetime of At Least 10 Years 


- Use of Space Station and Autonomy/Automation Study Documentation: 

Space Station Systems Definition, Book 5, Nov 82 (Ref 9) 

Autonomous Spacecraft Program Study for the Air Force by Jet 

Propulsion Laboratory (JPL) (Ref 10-12) 

2.3 BACKGROUND INFORMATION 

A major goal of the present Space Station is to implement new designs, 
concepts and methods to reduce life-cycle costs, extend operational 
life, and yield improved system performance. The resulting power sub- 
systems must be flexible, reliable, efficient, controllable, and most 
of all, employ a high degree of automation. To this end, automation 
technologies are expected to make significant and important contribu- 
tions to the development and affordable operation of these missions. 
Therefore, the electrical power subsystems must ensure, in the event of 
a failure, that the onboard power capability will degrade gracefully 
and provide a minimum set of useful services. The ultimate power-sub- 
system configuration would be the one that protects against failures 
and reconfigures itself in the event of a failure so as to continue 
normal operations. 

This study is concerned with automation of functions within the power- 
subsystem and also space-station level tasks related to it. The term 
"automation" has diverse interpretation. It can describe a simple con- 
trol of a process by an on-off device as in a thermostatic control. It 
is used to describe a complete feedback-control process that includes 
sensing, analyzing, and doing a required operation like voltage regula- 
tion. Automation has also been used to describe more complex processes 
in which the automated system replaces some of the human activities. 
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All automation functions fall basically into two categories: monitor- 

ing and control. The monitoring function involves sensing, analyzing, 
and displaying solution approaches and simple decisionmaking informa- 
tion for user (i.e., human) disposition. It is not in the control 
loop, so monitoring per se does not affect the reliability of that con- 
trol circuit. A control function consists of all the elements of an 
operation — sensing, analyzing, and effecting. The fundamental problem 
of automation, given that the function should be automated, is that of 
strengthening the designer's and user's confidence that automated func- 
tions will be accomplished effectively and reliably. This requires 
confidence in hardware and software reliability, adequate optimization 
and validation, and flight experience. Questions such as the following 
are of concern to this and future studies involving automation: 

- What is automation all about? What is the minimum level of automa- 
tion? What can be automated? 

Why should automation be undertaken? Can it significantly improve 
the life and performance of some components? Can it increase the 
specific power of the power subsystem? Can it reduce the cost of 
the power and other spacecraft subsystems? 

- What system-level studies are needed to evaluate the desirability 
and identify guidelines for subsystem automation development? What 
are the appropriate jobs for the flight crew? 

What effect might automation have on the next version of the sub- 
system design? How can subsystems be designed or modularized to 
minimize the consequences of changes? Can software minimize 
changes? Is standardization an issue? 

To address the question of which activities to automate, it is neces- 
sary to examine (1) basic criteria that direct space station (and other 
spacecraft) toward automation, (2) how automation tasks work at the 
component, subsystem, and system levels to meet their objectives, (3) 
problems encountered in past spacecraft, and (4) what has been done in 
past automation efforts. 
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Table 2.3-1 lists the basic reasons from the system and subsystem 
points of view as to why automation is often mandatory in many cases. 
The basic approach necessary in achieving an autonomous operation is to 
provide adequate sensors, redundant hardware, switching capabilities, 
and software. The principal goal of this approach is to prevent loss 
of any critical function via timely reconfiguration and graceful 
degradation. 


Table 2.3-1 Vhy Autonomy and Automation ? 


From Mission and Spacecraft Viewpoint: 

- Enable Autonomous Spacecraft Operation, Especially during Degraded 
Modes 

- Enable Rapid Changes in Mission Sequence 

- Enable Onorbit Subsystem Checkout, Verification, and Maintenance 
Quickly and Precisely 

- Decrease Reliance on Ground Stations and Reduce Long-Term Flight 
Operations Cost 

- Decrease Cost of Other Housekeeping Subsystems 


From Subsystem Viewpoint: 

- Reduce Subsystem Size and Weight 

- Increase Operational Life and Performance Reliability 

- Decrease Subsystem Cost 

- Respond Rapidly to Malfunctions 

- Permit Maximum Use of Capability 

- Permit Graceful Degradation 

- Overcome Technology Limitations 

- Accommodate New Technologies 


Table 2.3-2 shows the key projects collectively representing the state 
of development in spacecraft power subsystem automation. Note that the 
more recent efforts by the Air Force are being performed at the space- 
craft level. The principal features and results of these major pro- 
grams (Ref 4 through 8) are summarized in Table 2.3-3. It should be 
emphasized that the microprocessor is the key technology that enabled 
these development projects to be carried out effectively. However, 
several key issues have yet to be addressed and validated. Among these 
are processor redundancy configuration and management strategy, proces- 
sor fault- tolerant criteria and implementation approach, and optimiza- 
tion of application software and long-term validation. 


2-4 




Table 2.3-2 

Major Projects Involving Spacecraft Power Subsystem Automation 


Project 

Dates 

Funding 

Source 

Contractor 

ARMMS (Autonomous Redundancy 
and Maintenance Management 
Subsystem)* 

1982-1986 

AF-STC 

JPL 

Autonomous Spacecraft* 

1981-1986 

AF-STC 

JPL 

Power Subsystem Automation 
Study 

1982-1983 

NASA-MSFC 

Martin Marietta 

Energy Management System 
Software Development (Expert 
System Demonstration) 

1983-1984 

NASA-MSFC 

Martin Marietta 

MAPS (Miniaturized 
Autonomous Power System) 

1980-1982 

Classified 

Martin Marietta 

AMPS (Autonomously Managed 
Power System) 

1978-1982 

NASA-MSFC 

TRW 

P^ (Programmable Power 
Processor) 

1979-1981 

NASA-MSFC 

Martin Marietta 

aPSM (Automated Power 
Subsystem Management) 

1978-1979 

NASA HQ-JPL 

Martin Marietta 

SBPS (Single-Cell Battery 
Protection System) 

1975-1977 

NASA-LeRC 

Martin Marietta 


*Spacecraft level, including power subsystem. 
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Table 2. 3-3 Principal Features and Results of Major Projects 


Project 

Features 

Key Results 

ARMMS 

- Add-On Computer-Based Subsystem 

- Engineering Algorithms 

(Continuing) 
(Ref 4) 

- Interfaces Only with Satellite 
I'T&C 

Defined for DSCS III 
Satellite 


- Receives TM Data, Determines 
Maintenance, and Implements 
Contingency Plans 

- Communication Interfaces 
and Computer Architecture 
Defined 


- Allows for Evolutionary 
Development 

- Functional Requirements 
Identified 


- Test Bed for Ground Validation 

- CMOS Processor (16-bit) 

- Emphasis: Algorithms, Archi- 

tecture, and Proof of Concept 

- Spacecraft Telemetry 
Simulator Designed 

AMPS 

(Continuing) 

- 250-kW Design (17 Channels, 16.7 
kW Each) ; Channels Isolated 

- Detailed System Design 
Completed 

(Ref 5) 

- 220-Vdc Nominal 

- Algorithms Designed 


- 150-A-h , 160-Cell, Ni-H2 
Battery per Channel 

- Array Series-String Switch- 
ing for Voltage Control 

- Algorithms: Power Source, 

Load Center, and EPS Management 

- Computer Architecture 
and Hardware Defined 

P 3 

(Completed) 

- Charger or Regulator Function 
via Software Change 

- Engineering Prototype 
Designed 

(Ref 6) 

- Single Imbedded Computer 
(TI9900) 

- Input/Output: 

- Input: 26 to 375 Vdc 

- Output: 24 to 180 Vdc 

- Algorithms: Array Peak-Power 

Tracking, Caution and Warning, 
Current Limit 

- Algorithms Demonstrated 
and Validated 

APSM 

- Test Bed Using V075 Power 

- Test Bed Operational 

(Completed) 

Subsystem Components 

- Algorithms Functional 

(Ref 7) 

- Distributed Processors with 
Central (TI9900) and Local 
(RCA 1602) 

- Fault Simulators 

- Cell-Level Battery Protection 
(One Battery) 

- Algorithms: Data Handling, 

Monitoring, Control, Resource 
Management, Fault Handling 

- Distributed-Microproc- 
essor Concept Demon- 
strated 

SBPS 
(Ref 8) 

- Cell-Level Protection, Both Ana- 
log and Digital Configurations 

- Intel 8008 & 8080 Processors 

- First Use of Microproces- 
sor Verified on Secondary 
AgZn Battery Protection 


- 18-Cell Secondary AgZn Battery 

- Hardware and Software 
Demonstrated 

- Battery Cycle-Life 
Improvement (AgZn) 
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Effective use of automation often implies performance of several tasks 
concurrently. This means both subsystem- and system-level tasks should 
be identified and evaluated. Successful automation of the space sta- 
tion may, therefore, transcend boundaries created in the past between 
disciplines. The classical parochial and dissected view of a space- 
craft is likely to be changed. The interaction between the EPS, life- 
support subsystem (LSS), and thermal-control subsystem (TCS), for exam- 
ple, can be so involved that functions like load sequencing and overall 
power management can be viewed only at the system level. One attrac- 
tive system-level automation task is spacecraft energy management. 

This involves a carefully coordinated electrical-load management that 
satisfies both experimental needs and the functional requirements of 
critical subsystems such as LSS and TCS. This activity can signifi- 
cantly reduce the battery mass, which is a substantial fraction of the 
overall space-station weight if a conventional approach is used. 
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TASK 1 - CHARACTERIZATION AND CLASSIFICATION OF POWER SUBSYSTEMS 


OBJECTIVE 


The objective of this task was to classify and characterize the photo- 
voltaic power subsystem and its major elements. This task was intended 
to provide the basis for subsequent study tasks. 

SUMMARY 

A generic photovoltaic power subsystem was defined by identifying the 
most promising components under each of the following five major 
categories: 

1) Photovoltaic array, 

2) Power conditioning, 

3) Batteries, 

4) Power distribution, 

5) Power control. 

Thermal control hardware was not considered in this study. However, it 
oust be recognized that heat dissipation management presents a signifi- 
cant problem for high-power systems. Other elements such as gimbals, 
sensors, signal conditioning circuits, and auxiliary power sources were 
included. Typical subsystem arrangements were also Identified. These 
arrangements fall into two basic classes by the power conditioning 
strategy used, the series regulation, and direct energy transfer. 

The power subsystem interfaces with all electrical components that use 
power and with the spacecraft subsystem Involved in data acquisition 
and command functions (C&DH and control and display subsystems). 
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The photovoltaic power systems can be classified roughly by: 


1) Application or mission type: LEO, medium altitude, GEO, planetary; 

2) System arrangement: series regulation (SR) or direct energy trans- 

fer (DET); 

3) Bus voltage level and type: ac, dc, or combination. . 

A key system performance parameter is the overall specific power (W/lb) 
which is basically a function of the type of solar cell and battery 
cell used and the orbit altitude. Typical values estimated by the Air 
Force (Ref 16) are depicted in Figure 3.0-1 for several combinations of 
these hardware. The specific power for a system is highly dependant on 
the battery energy density used. 

3.1 SYSTEM CONFIGURATION 

3.1.1 General Classification 

A power subsystem for any spacecraft comprises the following generic 
elements: 

1) Energy source, 

2) Energy storage, 

3) Power conversion, 

4) Power processing (conditioning), 

5) Power distribution, 

6) Power control. 
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Figure 3.0-1 

Specific Power Projection for Photovoltaic Power System 
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Figure 3. 1.1-1 shows the relative arrangement of these subsystem ele- 
ments along with their principal interfaces. In past spacecraft, con- 
trol and data interfaces from the spacecraft C&DHS to the power subsys- 
tem components were distributed rather than centralized in the power 
control as depicted in Figure 3. 1.1-1, That is, data and control sig- 
nals were usually routed directly to the power subsystem assembly, such 
as the power distribution unit and the battery charger. 



Figure 3. 1.1-1 Generic Power Subsystem Elements and Interfaces 


The photovoltaic power subsystem was defined to include various compo- 
nents listed under each major subsystem category (Fig. 3. 1.1-2). Each 
component was characterized by key design features, operating charac- 
teristics, state of the art, flight history, and types available. Fly- 
wheel energy storage was the only component in Figure 3. 1.1-2 that was 
not characterized because of its low development state. System-level 
options, such as dc bus voltage level, ac vs dc, and number of power 
channels, are listed in Figure 3. 1.1-3. 
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Nonconcentrating 

Arrays 


- Dc-dc Converter 

- Series Resonant 
Converter 

- Transformer-Coupled 
Converter 

- Partial/Full Shunt 
Regulator 

- Dc-ac Inverter 

- P^ Technology 

- Housekeeping 
Power Supplies 


Batteries 


NiCd 

N iH2 (IPV, CPV) 
Fuel Cell, 
Regenerative, 

h 2 -o 2 


-Mag Latch Relays 
-Motor- Driven Switches 

- Solid State 
-Fuses 

-Circuit Breakers 

- Solid-State Power 
Controllers 

-Cabling 

- Copper 

- Aluminum 

- Flat and Round 


| Gimbals | 

- Slip/Roll Ring 

- Flex Cable 

- Rotary Transformer 


Auxiliary 
Power Sources 


- AgZn Battery 

- USOC12 Battery' 

- Fuel Cell, H 2 -02 

- Chemical Turbomachinery 


Sensors and 
Signal Conditioning 
Circuits 


Figure 3. 1.1-2 Photovoltaic Power Subsystem Options 



Figure 3. 1.1-3 System-Level Options for a Multihundred kW Power Subsystem 
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The arrangement of the electrical power subsystem connecting the solar 
arrays, batteries, power conditioning, and power distribution network 
to the user loads is critical to reducing the specific weight and cost 
of the subsystem and improving its efficiency. Figure 3. 1.1-4 shows 
the two basic arrangements that have been used predominantly in space- 
craft: one is a direct energy transfer (DET) and the other is a series 

regulation (SR) type. These configurations differ basically in their 
methods of controlling the solar array output voltage and providing 
battery charge/discharge protection. 

Configuration 1 features a dc battery charger and peak-power tracker 
combination. The peak-power tracker integral to the battery charger 
provides maximum solar array energy collection whenever the battery is 
not fully charged and can accept the available power. 

Configuration II requires no dc battery charger but relies on full- 
shunt regulation to limit battery charge voltage. This arrangement 
eliminates the cost of the dc charger and the efficiency loss caused by 
charger operation. The increase in total system efficiency gained by 
deleting the series charger more than offsets nonoptimum solar array 
operation off the peak-power point. The main penalty of this full- 
shunt regulator approach is the need to dissipate a large amount of un- 
usable array power in the regulator. 

Configuration III controls the dc bus voltage in a manner similar to 
II, and is known as a partial shunt regulation system. Its advantages 
over II are basically a much lower level of power dissipation (in the 
bypass switches) and elimination of the full-shunt regulator hardware. 
Its principal drawback is control complexity and related electronics. 


Configuration I (SR) 
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Configuration II (DET) 



Main 
dc Bus 


Configuration III (DET) 



Main dc 
Bus 


Note : 

1. Main dc bus is connected to a load regulator, 
inverter, and/or power distributor. 

2. The bypass switch in Configuration III can be 
linear partial shunt or digital switch 

Figure 3. 1.1-4 

Basie Photovoltaic Battery. Power Subsystem Arrangements 
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A combination of IX and III, controlled by a miroprocessor, has been 
used very effectively in a large terrestrial system (Ref 14, 15). Its 
advantages are: 

1) The overall system cost Is lowest (comparted to I and II) because 
the intermediate power processor is eliminated and the partial sub- 
array on/off switching approach permits the full-shunt regulator to 
be sized to only handle a fraction of the total available power 
(partial shunt regulator), and thereby minimize thermal dissipation 
management . 

2) The partial shunting approach provided a very flexible and effec- 
tive battery control for four 240-Vdc batteries in parallel. 

3.1.2 Specific System Arrangements 

The modular nature of a PV/battery system allows this power source to 
be used in applications ranging from a few watts to megawatts. For a 
multihundred kW system, the key tradeoff issues are the (1) main dc bus 
voltage level (120 vs 240 Vdc), (2) ac vs dc for main power distribu- 
tion, and (3) the power distribution scheme to meet the redundancy cri- 
teria. An example of an arrangement that can provide a combination of 
unregulated (150 to 300 Vdc) and. regulated (200 to 300 Vdc) HV, low 
voltage (28 Vdc), and ac power in a DET configuration Is shown In Fig- 
ure 3. 1.2-1. This arrangement can serve as a building block to scale 
up to the required Space Station power levels while providing redun- 
dancies In power channels. The power distribution configuration and 
load control strategy must be carefully designed at the system level to 
provide the flexibility required for load management during various 
phases of station growth. Several examples of photovoltaic power sys- 
tem configurations are presented in simplified forms in Appendix B. 
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Subsystem 

Figure 3. 1.2-1 

An Approach to a High-Power System to Provide HV and LV da and aa Power 

3.2 PHOTOVOLTAIC ARRAY 


An array consists of a number of solar cell module strings or branches 
connected at the dc bus. The number of modules in series is determined 
by the desired dc bus voltage level, and the number of strings by the 
total array power required. Key factors affecting the electrical per- 
formance of the PV array are: (l) solar irradiance; (2) solar cell 

temperature; (3) solar incidence angle; (4) charged particle radiation; 
(5) reverse voltage breakdown; (6) plasma arcing; and (7) electrical 
wiring configuration including line resistances and bypass diodes. 


The solar arrays can be classified by how they are mounted to the 
spacecraft and oriented to the Sun. The three basic array types are 
body mounted, paddle mounted, and panels mounted and Sun-oriented as 
shown in Figure 3.2-1. To reduce the array area, high-power multi-kW 
spacecraft would require array articulation capability for Sun 
orientation. 
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Oriented Panel 

Figure 3.2-1 Basic Solar Array Configurations 

The types of photovoltaic systems applicable to the space station are 
as follows: 

1) Planar, nonconcentrating array (SEP and ultralightweight arrays), 
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Paddle Mounted 


2) Concentrating array (cassegranian and trough). 
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The basic features of specific candidate designs of each array type are 
summarized in the following subsections. 

3.2.1 SEP Solar Array (Ref 16) 


Descriptio n - The SEP solar array consists of five major components: 
array blanket, mast, tensioning mechanisms, containment box, and box 
cover (Fig. 3. 2. 1-1). The solar array wing can extend or retract fully 
or partially to a predetermined point. Table 3. 2. 1-1 lists SEP blanket 
physical characteristics. 


Store 

Array 

Preload 

Mechanism 



Array 
Hardness 

Intermediate 
Tension 
Negator 


Guide Wire Negator 


Containment 
Box Cover 

4.0 m 
(157 in. 

Guide Wire 
Guide Wire Grommet | 
Panel Hinge 

Intermediate 
Tension 
Distribution 
Bar 


Array 
Harness 
Array 
Storage 
Container 
Extension/ 
Retraction 
Mast 

Tension Box Negator 
Mast Canister 


31.6 m 
(1244 in.) 


Blanket 



Figure 3. 2. 1-1 SEP Soldi • Array Wing 
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Table 3. 2.1-1 SET Array Blanket Characteristics (One Wing) 


No. of Cell Assemblies/Electrical Module 

1530 

No. of Electrical Modules/Wing 

82 

No. of Cell Assemblies/Wing 

125,460 

Single Cell Area 

8068 cm 2 

Total Cell Area 

101.47 cm^ 

Nominal Cell Spacing (On-Array Padding) 

1.09 mm (0.043 in. ) 

Overall Blanket Area 41x158x29.9 in.* 

125 m 2 (1345 ft 2 ) 

Cell Area Packing Factor (1.19 mm Cell Spacing) 

0.887 

Overall Blanket Area Cell Packing Factor 

0.812 

Printed Circuit Substrate Area Density (No Cells) 

0.1358 kg/m 2 
(0.02776 lb/ft 2 ) 

Substrate Plus Cell Assemblies Area Density 

1.0132 kg/m 2 
(0.2072 lb/ft 2 ) 

Total Blanket Plus Harness Area Density* 

0.9785 kg/m 2 

(0.2001 lb/ft 2 ) 


^Includes area for array harness, panel stiffening, and panel-to-panel 
hinges. 

+ Includes hinges, panel stiffening, on-array padding, and tension- 
distribution bars. 


i 

i 

* 


Assembly 3% 

Bussing 4.4 % 

Diode 0.4% 

Present-Technology Array Design Provides 66 W/kg Using the Minimum 
Cell Efficiency 


The mast is a continuous Longeron lattice structure made from high tem- 
perature polyimlde resin (See Table 3. 2.1-2). The deployment canister 
used to extend and retract the mast uses two 27-Vdc motors, is 58-in. 
high, 16.24-in. diameter, and weighs 17.35 kg (38.17 lb). 


Principal Operating Characteristics - Present-technology 25-kW SEP ar- 
ray uses a 12.3% efficiency solar-cell having a back-surface reflec- 
tor. The solar cell also employs a dielectric wraparound contact. • 
Table 3. 2. 1-3 lists solar-cell characteristics. The array system is 
composed of two wings, each providing 12.5-kW BOL power at 1 AU. The 
array sizing assumes the following losses: 
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Table 3. 2. 1-2 Extension Mast Design 


Mast Diameter: 

37.3 cm (14.7 in.) 

Mast Mass: 

16.74 kg (36.8 lb) 

Longerons : 

- Cross-Section: 

0.553x0.572 cm (0.218x0.225 in.). Rectangu- 
lar, with Corners Rounded to 0.030-in. Radius 

- Materlal-S-Glass/Polyiralde Composite Using 20-End-Glass Roving/ 
PMR15 Polyimlde Resin 

Battens: 

- Cross section: 

0.457x0.457 cm (0.18x0.18 in.). Square, with 
Corners Rounded to 0.030 in. Radius 

- Material: Same as Longerons 

Diagonals : 

3/64-in. Diameter, 3x7-Strand, Stainless- 
Steel Cable 

Bay Length: 

23.9 cm (9.0 in. ) 

Mechanical Properties: 

- Bending Stiffness: 

62.8 kN-m^ (21.96 x 10^ lb-in. 2) 

- Bending Strength: 

1.64 m-N (1456.3 in. -lb). Minimum Value Asso- 
ciated, with One Longeron In Compression 

- Shearing Stiffness: 

87.2 kN (19,620 lb) 

- Shearing Strength: 

134.8 N (30.33 lb) 

- Torsional Stiffness: 

1.453 kN-m2 (5.08 x 105 lb-in. 2) 

- Torsional Strength: 

970.7 N (218.4 lb) 


Table 3. 2. 1-3 Present Technology 25-kW Array Solar Cell Design Features 


Item 

Value 

Covered Efficiency (Based on Total Cell 


Area and 135.6 mW/cm2): 

12.3% 

Diffusion Depth: 

1200 to 2000 A 

Cell Base Resistivity: 

2 ohm/cm 

Solar Cell AR Coating: 

MLAR 

Back-Surface Field: 

No 

Back-Surface Reflector: 

Yes 

Contact Material: 

Cr-Pd-Ag or Ti-Pd-Ag 

Cover Cut-On Wavelength: 

350 nm, 

Coverslide Material: 

Fused Silica (Alternate: 
Ceria Stabilized Microsheet) 

Cell Size: 

2x4 cm, nominal 

Cell Thickness: 

200 micrometers (8 mils) 

Cover Thickness: 

150 micrometers (6 mils) 

Coverslide Adhesive: 

DC 93-500 

-■■■■■ 
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Testing of the full-scale coilable longeron extension mast resulted in 

6 2 

a mass-stiffness measurement of 15.15 x 10 lb-in. compared to the 
6 2 

19.6 x 10 lb-in. requirement. The associated weight increases 
along with the achieved cell assembly weights require a cell-efficiency 
Increase from 11.4% to 12.3% to meet a specific power of 66 W/kg. This 
also reduces the number of panels per wing from 41 to 38 (25-kW array) 
and decreases the extension length from 32.0 m to 31.2 m. 

Flight History - None; SAFE experiment is scheduled on shuttle orbiter 
flight in mid-1984. 

Types/Manufacturer - Lockheed Missile and Space Company. 

3.2.2 Ultralightweight Solar Array (Ref 17) 

Description - Ultralightweight Solar Array is being developed by TRW 
for use in applications where existing technology is limited. This 
design is directed toward the following goals: 

- Retractable, Eedeployable 
Low Cost 

- Modular/ Scalable over 10 to 70 kW (B0L) 

- Compatible with Automatic Fabrication/Assembly Processes 

The array configuration consists of one or two flatpack foldout Kapton 
blankets contained in a graphite-epoxy stowage box attached to a 
strongback deployment structure. The blanket and container are inte- 
grated with a mast-stowage canister containing a coilable trilongeron 
mast for extension and retraction of the solar-cell blankets. Figure 
3. 2. 2-1 shows the full-power two-blanket design. The total weight for 
the full-power design, made up of the blanket, blanket box system, and 
the blanket extension system combined, is 1262.8 lb (572.7 kg). Table 
3. 2. 2-1 lists physical characteristics. 


* m « 





All dimensions are in inches. 

Figure S.2.2-1 

Two-B'lanket Ultralightweight Solar Array (Ref 17) 


Principal Operating Characteristics - The full-power, two-blanket de- 
sign has a BOL power of 72 kW per spacecraft (68 °C at 235 nml, 60° in- 
clination). End-of-life power (10 years) is approximately 17% less, or 
61.7 kW per spacecraft. BOL open-circuit voltage is 425 V derating to 
an EOL voltage of 178 V (peak power at orbit MAX Temp of 80°C). Table 
3. 2. 2-2 shows the array’s performance analysis. 
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Table 3. 2.2-1 Physical Characteristics, Full Power, 2 Blanket 


Item 

Value 

No. of Wings/Spacecraft 

2 

No. of Blankets/Wing 

2 

No. of Active Panels (with Cells) /Blanket 

96 

Blanket Panel Size 

178.3x14.8 In. 

Blanket Size (Including Leader Panels) 

178.3x1450 in. 

Mast Deployed Length 

1470 

Mast Diameter 

21 in. 

Mast Canister Length 

66 in. 

Mast Canister Diameter 

23 in. 

Wing Width 

396 in. 

No. of Blanket Boxes/Wing 

2 

Blanket Box Size 

180x18x7 in. 

Deployed Wing Natural Frequency 

0.04 Hz 

No. of Panels/Electrical Module 

2 Modules per 3 Panels 

No. of Electrical Modules/Wing 

128 

Cell Type and Size 

2 ohm-cm BSR; 4.08x2.35 cm 
x 8 mil 

Cover Type and Size 

Fused Silica, 6 mil 

No. of Cells/Panel 

174 x 8 = 1392 

No. of Cells/Blanket 

133,632 

No. of Cells/Wing 

267,264 

Wing Weight 

601 kg 


State of the Art - Level 5 - 6 Is estimated 


Flight History - None 


Types/Manufacturer - TRW 
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Table S. 2.2-2 Array Performance Summary 


Parameter, BOL 

EOL 

Factor 

Temp 

BOL 

EOL 





Cell Efficiency (2-ohm-cm BSR) 
At V rap - 0.49 

— 

28°C 

28°C 

13.3% 
490 mV 


Cell Efficiency: 
[1-0.0046 (68-28)] 13.3% 
At 490-2.2 (78-28 )mV 

0.85 

0.96 

68°C 

68°C 

10.9% 
402 mV 

9.26% 
386 mV 

Cell Output: 

8.57 cm^ x io.85% x 135.3 mW/cm^ 

0.85 

68°C 

126 mW 

107 mW 

Half-Panel Output: 4p x 104s x 0.126 W 
At 104s x 0.402 V 

0.85 

0.96 

68°C 

68°C 

52.3 W 
41.8 V 

44.7 W 
40.1 V 

Module Output: 5 x 0.96 x 52. 3W 
At 5 x 0.96 x 41.8V 

0.85 

0.96 

68°C 
68 °C 

251 W 
201 V 

215 W 
193 V 

Blanket Output (36 Modules, 90 Panels) 

0.85 

68°C 

9.04 kW 

7.72 kW 

Wing Output (4 Blankets) 

0.85 

68°C 

36.2 kW 

30.9 kW 

Array Output (2 Wings) 

0.85 

68°C 

72.3 kW 

61.8 kW 


Cell Size 4.08x2.10 cm = 8.57 cm^ Output Values Rounded to 3 

Significant Figures 


Temperature Coefficient, 
Power: -04.6%/°C 
Voltage: -2.2mV/°C 


3.2.3 High Concentration Array - Cassegralnian (Ref 18) 


Description - A development program is in progress (AF and NASA) for a 
miniaturized Cassegralnian concentrator solar array. The main interest 
in this type of array is to develop a multikilowatt solar array at a 
lower cost without sacrificing performance of present technology, and 
for hardening from weapon threats. 


The Cassegralnian concentrator consists of a small solar cell centered 
in the base of a parabolic primary reflector with a hyperbolic second- 
ary reflector mounted above the solar cell (Fig. 3. 2. 3-1). The solar 
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cell is surrounded by a light-catching cone to improve performance un- 
der off-pointing conditions. Relief from thermal stress on the solar 
cell is accomplished by mounting it on a molybdenum base, which is then 
mounted to the aluminum radiator. The incident solar radiation is re*- 
flected from the primary parabolic reflector to the secondary hyperbol- 
ic reflector and finally to the solar cell. 





Hyperbolic Reflector 


Parabolic 

Reflector 


Single-Element 

Assembly 


-Cup and Cell 

— - — Stack Assembly 
Single-Element Assembly 


0 / 


3.17 mm 


Catcher Cone 







The concentrator element described above Is comparable In thickness to 
conventional panels; each element Is 52 mm diameter and 13 mm thick. 
Several elements can be connected together for high-power use. 

Principal Operating Characteristics - The Cassegralnian concentrator is 
In its early development stages. More testing needs to be completed 
before all the operating parameters are known. Table 3. 2. 3-1 lists 
present characteristics. 

Table 3. 2. 3-1 Operating Characteristics 


- Miniaturization action of concentrator results in excellent heat 
distribution. 

- Passive thermal control provides low steady-state solar cell tem- 
perature range of 75° to 95°C. 

- Effective concentrator ratio of 88 to 100, 

- Reduction of recurring cost using very small solar cells in con- 
junction with low-cost optics. 

i - Primary and secondary reflectors have a common focal point, an 
f-number of 0.25, and a rim angle of 90 deg. 

- Concentrator panel comparable area and performance (W/m^ and 
W/kg) to conventional rigid solar array. 

t - Typical performance 100 W/m^ and 20 W/kg with 20%-efficient solar 
: cells . 

i 

Component-misalignment testing showed that performance falls by approx- 
imately 25% as the secondary reflector is moved 0.4 mm toward the pri- 
mary reflector and remains constant as the secondary reflector is moved 
away from the primary reflector by as much as 0.5 mm. 

State of the Art - Technology Level 4 is estimated. A. nine-element 
demonstration module has been subjected to functional checkout tests. 

It has performed in a manner similar to the single-element module and 
is ready for comprehensive performance testing. 
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This type of array can use advanced high-efficiency cells for greater 
array performance. To date, effective concentration ratio is 88, fu- 
ture designs can be from 100 to 130. Future design will also have re- 
duced blockage losses, presently at 21%. 

Flight History - None 

Types/Manufacturer - TRW 

3.2.4 Low-Concentration Array - Trough/Pyramidal (Ref 19) 

Description - The trough, or pyramidal, concept is based on a concen- 
trator element having a four-sided, truncated pyramid configuration. 

Two of the reflector panels fold up with the solar panel for compact 
stowage. The element is designed for a geometric-concentration ratio 
of six suns, and can be used with silicon (Si) or gallium-arsenide 
(GaAs) solar cells. 

The array consists of several rectangular modules with a total area of 
2 

about 1400 m . Each module contains approximately 4400 pyramidal 
elements. Modules can be stored as cubes (3.24 m per side) in the 
Space Shuttle payload bay. The deployed module is 19.5x70.0x0.54 m. 
Figure 3. 2. 4-1 shows the module deployment stages and dimensions. 

Three canister-and-mast assemblies extend from each side of the housing 
in two directions by connections to the end caps. The concentrator 
elements are supported by cables connected between the end caps and 
housing. The cables are maintained under constant tension through 
negator-cable extension mechanisms. 

This type of array is expected to generate more than 300 kW of power in 
orbit by a single Shuttle launch. The array would comprise up to four 
solar-array panels, each having a power output greater than 75 kW. 
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Figure 2. 2. 4-1 

Concentrator Arrau Module Configuration 

Principal Operating Characteristics - Two basic solar panel designs 
have been baselined corresponding to projected characteristics of sili- 
con and gallium arsenide cells. Table 3. 2. 4-1 summarizes these 
characteristics. 

State of the Art - This technology Is estimated to be Level 3. Results 
to date indicate that a concentrator array module is a practical, low- 
cost approach for multlhundred-kllowatt solar array systems for space 
applications. The modularity design concept can be extended to provide 
a hardened array configuration with gallium arsenide solar cells used 
for application to lower-power-level missions. 

Flight History - None 

Types/Manufacturer - Rockwell International 
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Table 3. 2.4-1 Solar Panel Characteristics ( Ref 19) 


Parameter 

Solar Cell 
Si 

GaAs 

Conversion Efficiency, % 



(AMO, 28°C) 

14 

18 

Solar Absorptance 

0.70 

0.75 

Low CR Optimized 

Yes 

Yes 

Back-Surface Reflector 

Yes 

N/A 

Back-Surface Field 

No 

N/A 

Thickness, mm 

0.25 

0.30 

Surface Dimensions, mm 

50x50 

19x19 

Cover Type /Thickness, mm 

Fused Silica, 

Fused Silica, 


0.2 

0.2 

Substrate Radiator Characteristics: 



Thickness, mm 

0.6 

0.5 

Ar/A? 

2.0 

2.0 

Solar Absorptance 

0.22 

0.22 

Emissivity 

0.85 

0.85 


3.3 ENERGY STORAGE 

Energy storage devices presented in this subsection are those that can 
be used for long-term operation. Included are Ni-Cd, Ni-I^, and RFC 
systems . 

3.3.1 N ickel-Cadmium 

Description - The Ni-Cd battery consists of several hermetically sealed 
cells connected in series. The number of cells in a series is deter- 
mined by the dc bus voltage. A 28-Vdc system usually has 22 cells, and 
a 240-Vdc system would require about 200 cells in series. 
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A typical cell is encased in a prismatic stainless steel container. It 
has a number of positive and negative plates insulated from each other 
and the metal case by separator material. Potassium hydroxide is nor- 
mally used as the electrolyte. Reference 20 provides a detailed de- 
scription of design, manufacturing, and operational characteristics of 
the Ni-Cd cell. 

Principal Operating Characteristics - The operating characteristics of 
a nickel-cadmium battery are a function of state of charge, depth of 
discharge, number of cycles, the duration of charge/discharge cycles, 
and operating temperature. All these variables are controllable to a 
certain extent either directly or indirectly. Because of the large 
uncertainty in the performance behavior of Ni-Cd battery (and all 
others), battery operation management is one of the best candidates for 
automation via computers. 

Typical charge-discharge voltage profiles are shown In Figure 3. 3. 1-1 
as a function of state of charge. The desired range of charge voltage 
limit can vary from 1.40 volts to 1.60 volts, and discharge voltage is 
about 1.2-Vdc average per cell. 

Figure 3. 3. 1-2 depicts one set of cycle-life data (Ref 20) available on 
an LEO mission. These data, as well as others In open literature, are 
based on 5-cell to 22— cell battery pack testing. Thus, a lot of uncer- 
tainties exist in projecting the life of a possible 200-cell battery 
pack configuration of the space station batteries. 

Figure 3. 3. 1-3 shows the mass of the Ni-Cd cell from several suppliers 
as a function of rated capacity (36 to 41 gm/Ah). 

State of the Art - Sealed nickel-cadmium cell batteries were developed 
for space applications. They have served as a reliable energy-storage 
system for the majority of spacecraft flown. 
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Figure 3.3. 1-2 

iliCd Battery Cycle Life Projection for LEO Application (Ref 13) 



Ni/Cd Data Sources*: 

A ■ Fit to Crane Data, 20-25~’c 
B * GSFC Mac Design Spec. 

C * Fono 
D * Elliason 

J.E ■ Est 0-10 u C with Special 

Controls and Reconditioning 

*From J. B. Trout, "Energy Storage for 1 
LEO Operations at High Power," AIAA/ 
NASA Conf, Hampton, VA, May 8-10, 1979 

— .i > i - — » 



Figure 3.3. 1-3 Relationship of Mass to Capacity for Spacecraft NiCd Cells 
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Recently, the primary advances have been in the areas of: 

Seal Improvement for Reliability 
Increased Cell Capacity 
Specific Energy Improvements 
- Lightweight Container Designs 

Major emphasis for advanced technical development efforts has been on: 

(1) reduced weight for geosynchronous and medium-altitude spacecraft, 

(2) increased life capability to more than 10 years at 85% depth of 
discharge for GEO, and (3) increased life to more than five years for 
LEO applications. 

Flight History - Nickel-cadmium batteries have been flown on most 
spacecraft requiring long-life operation. 

Types/Manufacturer - The primary suppliers of nickel-cadmium cells for 
aerospace use are General Electric, Eagle PIcher, and SAFT America. 
Several sizes, up to 50 Ah, are now available. 

3.3.2 IPV and CPV Nickel Hydrogen Battery 


Description - The nickel-hydrogen cell is contained in a hermetically 
sealed pressure vessel (Fig. 3. 3. 2-1). It Is a derivative of the Ni-Cd 
cell design via substitution of the negative electrode (from cadmium to 
hydrogen) . 

Nickel-hydrogen systems, like other batteries, require multiple cells 
in series to attain the necessary bus voltage. 

Two basic types available are referred to as the Individual pressure 
vessel (IPV) and common pressure vessel (CPV). The CPV design contains 
several cells connected in series within one common pressure vessel. 
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Figure 2.3. 2-1 

Schematic of a Ni-H,, Cell ana 
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Principal Operating Characteristics - Figures 3. 3, 2-2 and 3. 3. 2-3 show 
charge/discharge curves for a typical Nl-Hj cell. Internal pressure 
in a nickel-hydrogen cell varies linearly with state of charge. 
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Figure 3. 3. 2-2 Typical Charging Characteristics of Ni-H^ Cell (Ref 21) 


Table 3. 3. 2-1 presents the physical characteristics for Yardney 30-A-h 
and 50-A-h nickel-hydrogen cells. These cells are similar in size and 
shape to cells of other vendors. 

State of the Art - COMSAT Laboratories Initiated the exploratory devel- 
opment of nickel-hydrogen cells in early 1970, followed by the Air 
Force In 1972. Since then, primary development occurred In the follow- 
ing areas: 

1) Lightweight cells, 

2) Basic Cell design, 

3) Production capability for electrochemically impregnated nickel 
electrodes, 

4) Common pressure vessel. 
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Figure 3.3. 2-3 Typical Discharge Characteristics of Ri-U 2 CeU (Ref 21) 
Table 3. 3. 2-1 Physical Characteristics 


Weight : 
Volume : 
Length: 
Diameter 


YNH 30-2 

YNH 50-3 

1.96 lb (887 g) 

46.4 in. 3 (715 cm 3 ) 
8.0 in. (20.3 cm) 
3.5 in* (8.9 cm) 

2.79 lb (1270 g) 
52.3 in. 3 (857 cm 3 ) 
9.0 in. (22.9 cm) 
3.5 in. (8.9 cm) 


o to 















Flight History - Nickel-hydrogen batteries were launched In 1976 on the 
Navy NTS-2 satellite and the Air Force flight experiment satellite. 
Nickel-hydrogen batteries are planned for the following spacecraft: 

1) Intelsat V and VI Communication Satellite; 

2) U.S. Air Force SDS Satellite; 

3) GTE "G-Start" Satellite; 

4) Southern Pacific '‘Spaeenet” Satellite; 

5) ESA "L-Sat” Satellite. 

Types/Manufacturer - Y_: Iney Electric Corporation and Eagle Picher Co. 

3.3.3 Bipolar Nickel Hydrogen Battery 

Description - Bipolar Nif^ cells provide a concept more closely re- 
sembling a fuel cell system than a traditional nickel-cadmium battery 
pack. This modular concept with projected energy densities of 44 to 53 
W-h/kg (20 to 24 W-h/lb) and 700 to 900 W-h/ft'*, has significant po- 
tential improvements in reliability, energy density, cycle life, and 
cost (Ref 22, 23). The nickel-hydrogen battery using bipolar construc- 
tion in a common pressure vessel is shown in Figure 3. 3. 3-1. 

Principal Operating Characteristics - The basic specifications for a 
35-kW battery are listed in Figure 3. 3.3-2. The weight estimates for 
this battery are listed in Table 3. 3. 3-1, 

State of the Art - A preliminary design of a 35-kW nickel-hydrogen bat- 
tery featuring bipolar construction, a common pressure vessel and ac- 
tive cooling is being developed for possible applications requiring 
high power energy storage. 
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Coolant 



Coolant Manifold 


Endplate 
Bipolar Plate 
Cooling Plate 


Cooling Line 


Weld Ring 


Stack 

Subassembly 


Terminal Seal 
Case 


Leads 


Figure Z.Z.Z-1 Bipolar H-H „ Cell (Ref 22) 


The inherent characteristics of the bipolar concept lends itself to a 
high voltage low current operation. Using a common pressure vessel for 
the entire battery offers significant improvement in both gravimetric 
and coulometric energy densities. In addition, spacecraft/battery 
integration is a simpler task when considering that this one 35 kW mod- 
ule (or a modified modular concept) would replace many cells in a ser- 
ies configuration. 


Flight History - None 

Types/Manufacturer - Hughes Aircraft Co. 
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Battery Specifications 

- Power 

- Load Voltage 

- Current 

- Dicharge Capacity at 
0.6-h Eclipse 

- Depth of Discharge 

- Theoretical Capacity 

- Series Cells 

- Plate Area 

- Cell Thickness 

- Stack Dimensions 

- Battery Weight 

- Energy Density 

- Volumetric Energy 
Density 

- Vessel Configuration 


35 kW 
275 V 

127 A 
76 

70% 

128 A-h 
229 

625 in. 

0.095 in. 

27 x 27 x 28 in. 
1583 lb 
19 W-h/lb at 
100% DOD ^ 

780 W-h/ft 

TBD 


Figure 2.3. 3-2 35-kW Bipolar I/i-H ^Battery Specification (Ref 22) 
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Table 3. 3. 3-1 

Estimated Weight Breakdown of a 35-kW Bipolar Ei-U^ Battery 


Component 

Total Weight 

% of Total 

Nickel Electrodes 

508 lb 

32.5% 

Hydrogen Electrodes 

70 

4.5 

Separators 

35 

2.0 

Electrolyte Reservoir Plates 

185 

12.0 

Recombination Grids 

15 

1.0 

Cooling Plates 

180 

11.5 

Pressure Vessel 

200 

13.0 

Electrolyte 

246 

16.0 

Hardware (Tie Rods, Terminal Cables, 



Coolant Lines, Etc) 

30 

2.0 

Foam 

10 

0.6 

Frames 

54 

3.4 

Coolant 

20 

1.2 

End Plates 

30 

2.0 

Total Weight 

1585 lb 

100.0% 


3.3.4 Regenerative Fuel Cell (RFC) 


Description - Regenerable fuel cell systems produce electricity by com- 
bining reactants by direct electrochemical process to generate elec- 
tricity and water. The most well-developed system is H^C^. 

The basic elements of a hydrogen-oxygen regenerative fuel-cell system 
are shown in Figure 3. 3. 4-1. The principal parts are the fuel cell and 
the electrolysis module. 

The fuel-cell module converts and directly into dc power with 
water as the byproduct. The electrolysis unit essentially splits this 
water into gaseous ^ and C> 2 , thus resulting in a reversible reac- 
tion. Heat exchangers remove waste heat from the electrolysis and 
fuel-cell modular water coolant loops, each having temperature-regulat- 
ing valves. A condenser removes heat from the generated C >2 and ^ 
gases such that the outlet saturation temperature or dew point is below 
the temperature of the storage tanks. Similarly, a product-water heat 
exchanger reduces the temperature of water discharged by the fuel-cell 
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module to a desired value for storage. The process water outlet tem- 
perature of the heat exchangers is Independently controlled by tempera- 
ture-regulating valves. 



Principal Operating Characteristics - There are approximately ten con- 
tributors to energy-storage inefficiency with the RFC system (Ref 24): 
(1) fuel-cell voltage loss; (2) fuel cell faradaic inefficiency; (3) 
fuel-cell ancillary power; (4) fuel-cell discharge regulator power 
loss; (4) electrolyzer voltage loss; (6) electrolyzer faradaic ineffi- 
ciency; (7) electrolyzer ancillary power; (8) electrolyzer input power 
regulator loss; (9) inefficient use of solar-array charging area; and 
(10) power consumption for temperature control. 

For either a solid polymer electrolyte fuel cell or an alkaline fuel 
cell, a design energy-storage efficiency for the RFC system of 60% is 
considered possible without undue development risk. 
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One of the findings by United Technologies was that the specific weight 
did not change much for 35-kW and 250-kW systems which were 55.1 Ib/kW 
and 51.1 Ib/kW, respectively. 

State of the Art - The basic space fuel cell after its emergence as a 
primary power source in the early 1960s has had, and continues to have, 
a steady and evolutionary technical growth. It very successfully pro- 
vided the electrical primary power for the Gemini and Apollo programs 
and now must be examined as to its role in projected new large space 
power systems. It is expected that the large level of effort being 
directed to the development of fuel cells for terrestrial applications 
will indirectly affect space fuel-cell technology and could possibly 
affect its projected role in future space missions (Ref 25). 

The state-of-the-art fuel cell of today is largely the product of tech- 
nology-development efforts aimed at meeting particular mission require- 
ments in a particular time frame. Fuel cells were developed in the 
early 1960s because of the special requirements of the Apollo vehicle. 
After this major step in technology advancement, the fuel cell became a 
more mature technology and made a steady technology growth toward 
lighter weight, higher specific power, lower cost, and longer life. 

The specific weight decreased from 89 Ib/kW for Apollo to 8 Ib/kW for 
the Shuttle Orbiter (Ref 25). The advanced lightweight fuel cell has 
potentially greater specific weight reduction to 4 Ib/kW. During this 
same period in which large reductions in specific weight and specific 
cost were achieved, there were corresponding increases in operating 
life from 100 to more than 2500 hours. 

The fuel cell of today is an operational and reliable electromechanical 
power source. It was developed for NASA’s manned missions in the 1960s 
because the conventional battery systems could not meet the energy- 
density requirements. Although the role of the fuel cell as a primary 
source for space power appears limited, it may have a much larger role 
as an energy-storage subsystem when combined with the electrolyzer. 
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Present studies have shown that the s P ace fuel cell with a 

dedicated electrolyzer can be competitive with NiCd and Nif^ batter- 
ies as energy-storage subsystems for large space power-system 
applications. 

Flight History - The basic fuel cells successfully provided the elec- 
trical primary power for the Gemini and Apollo programs. The RFC has 
not been flown. 

Types/Manufacturer - GE and United Technology Corp. 

3.4 POWER CONDITIONING 
3.4,1 Series Resonant Converter 

Description - The design of this type of converter is based on the con- 
trolled transfer and transformation of electric energy through series- 
resonant circuits at frequencies in excess of 10 kHz. Figure 3. 4. 1-1 
is a schematic of a half-bridge converter. The high-Q series-resonant 
circuits continuously oscillate and are controlled by adjustment of the 
phase angle between the exciting voltage and the resonant current (Ref. 
26). This topology is highly efficient because only a small fraction 
of the energy transferred to the load is absorbed by the resonant cir- 
cuits. The system is suited for construction of low-cost, submegawatt, 
single-module converters using available components. 



Figure 3. 4.1-1 Half -Bridge Converter 
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Principal Operating Characteristics - Higher energy density and effi- 
ciency are expected owing to high-frequency operation (10 to 30 kHz) 
than the lower-frequency rectangular-wave converter. High-frequency 
operation allows the inductive and capacitive energy-storage devices to 
be smaller than those used in lower-frequency converters, a reduction 
that results in significant size and weight savings. Higher-frequency 
operation in the series resonant converter is possible because a ser- 
ies-resonant current, rather than rectangular pulses, is conducted 
through the control-semiconductor power switch. The power switches are 
controlled so that they switch on and off when the current through the 
switch is very close to zero, thus allowing very low switching losses. 


Figure 3. 4. 1-2 shows a simplified schematic of a twin-full-bridge ver- 
sion. Operation and control methods are similar in that the operating 
principle is merely an extension from the half-bridge operation. 



Figure 3 A. 1-2 Tulin Full-Bridge Converter Configuration 


3-37 


A dc-ac version and a 3-phase ac-dc version exist as well. Operating 
parameters for all these configurations are listed in Table 3. 4. 1-1. 

Table 3.4. 1-1 

Operating Parameters of Existing Series -Resonant Configurations 


Type 

Via 

Vout 

Power 

Half-Bridge Dc-Dc 
Twin Full Bridge 
Dc-Ac 
Ac-Dc 

200-400 V 
200-400 V 
200-400 V 
100-208 V 

200, 25 kV 
400, 25 kV 
208 Vac 
200, 25 kV 

100 kW 
200 kW 
5 kW 
5 kW 


Estimated efficiencies for the dc-dc types may range as high as 97 to 
98% due to the reduced switching losses inherent in this topology. 

State of the Art - The basic operating principles are known and have 
been demonstrated; however, development and improvement are still need- 
ed. Studies are presently underway that focus on developing standard- 
ized control and protection circuitry as well as to identify potential 
problems with space applications. Hybrid technology and microprocessor 
applications for control also are being examined by Martin Marietta 
under the AFAPL contract. 

Flight History - None 

Types/Manufacturer - None; under development by AFAPL. 

3.4.2 Dc-Ac Inverter 

Description - An inverter is a power-conversion device used to trans- 
form dc power to ac power. Power-conversion circuits consist basically 
of some type of "chopper" used to develop a waveshape that is accept- 
able to a transformer. The switching function in the hiverter circuit 
is usually performed by high-speed transistors or silicon-controlled 
rectifiers (SCR) connected in series with the primary winding of the 
output transformer. Figures 3.4. 2-1 and 3. 4. 2-2 show two different 
types of inverters, push-pull and resonant, respectively. 
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Figure 3. 4. 2-1 

Two -Transistor, Two-Transformer 
Fush-Pull Switching Inverter 


Figure 3.4. 2-2 

Series L-C Resonant Inverter 


Transistor and SCR inverters can be made very lightweight and small in 
size. They are also highly efficient circuits and have no moving parts. 


Principal Operating Characteristics - Dc-ac inverters show promise in 
applications involving large space-power systems. A study of the mul- 


tihundred-kWe space system by General Dynamics (Ref 27) points out that 
the first choice for general-purpose, space-platform application is a 
hybrid-ac/dc, centralized, and distributed configuration (Fig. 


3. 4. 2-3). This system’s major features are listed in Table 3. 4. 2-1. 
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Figure 3.4. 2-3 Ac-Do Hybrid Resonant System (Ref 27) 
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Table 3.4. 2-1 Aa-Da Hybrid Resonant System Features 


- Modular Design and Construction Sized for Minimum Weight/Life- 
Cycle-Cost 

- High-Voltage Transmission (1000 Vac RMS) 

- Medium-Voltage Array (440 Vdc) 

- Resonant Inversion 

- Transformer Rotary Joint 

- High-Frequency, Single-Phase Transmission Line (20 kHz) 

- Energy Storage on Array Side of Rotary Joint 

- Fully Redundant 

- 10-Year Life with Minimal Replacement and Repair 

- Recurring Life-Cycle Cost * $28 per Pk Watt 


State of the Art - The inverters for high-power space application do 
not exist. 

Flight History - None 

Types/Manufacturer - None; potential suppliers includes 
Hellonetics, Inc 

- General Dynamics and Astronautics 
Martin Marietta 

- TRW 

3.4.3 Switched-Mode Dc-Dc Buck Converter 

Description - This type of converter is used often in spacecraft appli- 
cations. Advances have been made toward automating this type of sys- 

3 

tern, the best example being the Programmable Power Processor (P ) 

(Ref 6). It is an autonomous, 18-kW power processor for use in large 

high-power spacecraft power systems. Operation as a voltage regulator, 

battery charger, shunt regulator, or power limiter is achieved by se- 

3 

lection of the resident ROM. The P is also flexible in other areas 

such as the command and data interface. With selection of the appro- 

3 

priate interface card, a single P can operate in different modes and 
with almost any spacecraft interface. Table 3. 4. 3-1 summarizes its 
main features. 
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3. 4. 3-1 P Functional Capability 


Battery Control 

- Battery Charger 

- Peak Power Tracker (Solar Array) 

- Caution and Shutdown 

Bus Voltage Control 

- Voltage Regulator 

- Caution and Shutdown 

Power Limiter (Shuttle Power Extension Package) 

- Peak Power Tracker 

- Fuel-Cell Current Limiter 

- Caution and Shutdown 

Power Bus Overvoltage Protection 

- Shunt Regulator 

- Caution Shutdown 


3 

Figure 3. 4. 3-1 shows the functional block diagram of P . The input 

and output power are connected through two 4-pin, 50-A connectors. The 

78-pin patchplug connectors and 15-pin analog measurement connector are 

3 

provided. The package weighs 62 lb, and the volume is 1.17 ft . 
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The power section contains three parallel power stages, which are con- 
trolled with a 100-kHz-pulse width-modulated drive circuit. Output 
voltage ripple is minimized by operating the three stages 120 degrees 
out of phase with respect to each other. 

The microprocessor used in the P^ is a TISB9900. This was selected 
because it was available in X L technology which has low radiation 
susceptibility. The 9900 uses a lb-bit data bus and hardware multipli- 
cation and division. 

Control parameters and caution-and-shutdown parameters can be changed 
in flight by ground control using command-adjustable parameters. 

Principal Operating Characteristics - High or low power levels may be 
3 3 

achieved with P by connecting several P s in parallel without 

3 

hardware modification. Ten P s connected in parallel can produce up 
to 28 kW at 28-Vdc output; one P^ may be used if 3 kW or less are 

3 

required. Table 3. 4. 3-2 lists the electrical characteristics of P . 
Figure 3. 4. 3-2 shows the efficiency as a function of the output current 
at several input voltage levels. 

State of the Art - The hardware and software for an autonomous 18-kW 
programmable power processor have been developed, integrated, and veri- 
fied at ambient conditions. The power processor has been demonstrated 
to be capable of output voltages of 30 to 180 Vdc, at output currents 
of 0 to 10 Adc, and for input voltages up to 375 Vdc. Software for 
both the voltage-regulator and battery-charger/battery-raanagement modes 
has been successfully tested. Mode selection and telemetry scaling via 
patchplug has been accomplished. The P system has been demonstrated 
with both an RIU and an FMDM interface. An autonomous operation has 
been successfully demonstrated in the areas of automatic state transi- 
tion, interface initialization, caution-and-shutdown monitoring, telem- 
etry acquisition, processing and display, overload protection, battery 
management and protection, and peak-power tracking. A complete mechan- 
ical design for the P has been developed. An engineering model has 
been electrically tested, and environmental testing is underway. 
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Table 3.4. 3-2 Summary of P 3 Capabilities (Ref 6) 


Parameter 

Level 

Notes 

Output Voltage, Vg 

24 Vdc to 180 Vdc 

Programmable 

Output Current, Ig 

0 to 100 Adc 


Input Voltage 
Steady State, Vj n 

26 Vdc to 375 Vdc 


Transient Voltage 
Limitation 

400 Vdc, 20 s 


Output Voltage 
Ripple 

50% of SL-E-0002A 
Conducted Susceptibility 
for Vg = 30 Vdc 

For Vg - 30 Vdc 
Allowable Ripple 
Rises Proportionally 

Internal Power Dissi- 
pation That Must Be 
Acceptable to Mechan- 
ical Design 

600 W 


Fast-Response Hardware 
Overload Protection 

105 to 115 Adc Limiting 
Occurs within 10 s of 
Overload 

Protection Circuit 
Will Override Micro- 
computer 

Hardware Overvoltage 

Programmable between 
26 & 200 V 

Protection Circuit 
Will Override Micro- 
computer 

Maximum Standby Power 

140 W 



Flight History - None 

Types/Manufacturer - Martin Marietta /NASA MSFC 
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Figure 3, 4. 3-2 
3 

P Efficiency vs Output Current 3 Input 
Voltage a Parameter 


3.4.4 Transformer Coupled Converter 

Description - The transformer-coupled converter (TCCJ) was developed by 
LMSC (Ref 31) for use on the Space Shuttle Power Extension program. 

This converter meets the weight and efficiency requirements for space 
applications and is capable of converting power from high-voltage solar 
arrays. The converter topology used is the full-bridge transistor- 
transformer-coupled design. The TCC block diagram is shown in Figure 
3. 4. 4-1. The D60T high-voltage transistor is used in the baseline de- 
sign because of its superior ratings . 

The complete system consists of two independent bridge-converter mod- 
ules having their own independent regulator, analog-control subsystem, 
digital-control subsystem, ana peak power tracker. The unit dimensions 
are 20x20x7 in. and the weight is 67 lb. 
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Figure 3. 4. 4-1 TCC Block Diagram (Ref 31) 


Principle Operating Characteristics - The basic electrical characteris- 
tics o± TCC are listed in Table 3. 4. 4-1. 


Table 3. 4. 4-1 TCC Specifications 


Requirements 

Design Goals 

Input Voltage: 111 to 234 Vdc 

110 to 330 Vdc 

PEP- Solar- Array Compatible 


Output Power: 5.0 kW 

6.5 kW 

32.5 Vdc 

34.0 Vdc 

Efficiency: 


- Overall 90% 

91+% 

- Converter 92% 

92+% 

- Peak-Power Tracker 98% 

99% 


Output Paralleling 


Shuttle-EPDC Compatible 
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The transistor bridge power converter stage is fully transformer driven 
with proportioned base drive. Current sensing is also transformer- 
coupled through current-sense transformers situated in the return-level 
emitter circuits. The secondary uses dual parallel rectifier-filters 
and the switching frequency is 20 kHz. 

The principle feature of the TCC analog control circuitry is the active 
control of transformer flux balance through converter phase current 
sensing. The pulses of power- transformer primary current are sensed 
magnetically for each conduction phase. 

Regulation breakup at very low output voltages in current limit mode, 
due to finite pulsewidth limitations, is reduced through foldback cur- 
rent limiting derived from the output voltage as shown. The TCC output 
I-V characteristic is shown in Figure 3. 4. 4-2. 



Figure S.4.4-2 

TCC V-I Output Charaeteristies 


The digital-control subsystem handles common logic functions such as 
pulse phasing and enforcing a minimum off time. This subsystem also 
coordinates phase turnon, current-sampling commands, normal phase turn 
off, instantaneous phase turnoff, and limiting each phase to a single 
turnon event per clock cycle. 
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The peak-power tracker maintains maximum solar-array output power dur- 
ing system overload conditions. The peak-power tracker used is an ana- 
log type based on the principle of steepest descent with gradient es- 
timation by means of input-voltage perturbation. 

S tate-of-the-Ar t - LMSC has build two complete TCC units and operated 
them at full power (Ref 31). The prototype unit is scheduled for de- 
livery to NASA Johnson Space Center for evaluation in their Shuttle 
Orbiter power system simulator. The prototype is intended to simulate 
the overall physical characteristics of a flight unit. 

Flight History - None 

Types/Manufacturer - LMSC 

3.4.5 Partial/Full Shunt Regulator 

Description - Shunt regulators are used to limit solar array and/or bus 
voltage at some value under varying spacecraft bus loading and array 
power conditions. This is accomplished by applying one or more propor- 
tionally controlled shunt elements across the bus as in the case of the 
full shunt regulator (Fig. 3.4.5-1A). Partial shunt regulators connect 
at an intermediate point on the array string to reduce power dissipa- 
tion (Fig. 3.4.5-lti). Other types of shunt regulation schemes are 
shown in Figure 3.4. 5-2 (Ref 30). 

Principal Operating Characteristics - The partial shunt regulation 
approach is more relevant to high-power systems due to its lower dis- 
sipation. The binary-segmented, partial-shunt regulator, for example, 
uses both linear and digital control (Ref 14, 15, 28, 29). One of the 
unique features of this type of system is that the solar array is di- 
vided into binary segments that the shunt regulator controls . All 
shunt-regulator power stages are either open or saturated except for 
the first one. Each of the on-off power stages is driven by one of the 
up-down counter outputs. As a result, the bus current will decrease as 
the counter decreases. This type of control can be used with equal 
segmented arrays as well. 
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Figure 3. 4. 5-2 Array Voltage Regulation via Switching 



(a) Full Shunt 3 (b) Linear Partial Shunt 


Figure 3.4. 5-1 Shunt Regulation Configuration 













S tate-of- the- Art - To date, the shunt approach has been almost exclu- 
sively used for GEO and medium-altitude orbits and in low- to moder- 
ate- (100-to-2kW) power systems. The shunt regulator can be expanded 
so it can handle higher power levels by switching from a single-stage 
system to a multistage system, although growth capability is limited by 
circuit complexity and component limitations. 

Flight History - Many spacecraft have used shunt regulators. Some 
examples are listed below: 


Type 

Spacecraft 

Full Shunt 

TACSAT, 0J0, Pioneer Venus Orbiter, Multiprobe 
Bus , GMS , SCATHA 

Partial Shunt 

SEASAT, MARISAT, Satellite Business Systems, 
ANIK-C, NTS-2 

Types Available - 

Typically custom-designed. 


3.5 POWER DISTRIBUTION 
3.5.1 Magnetic Latching Relay 

Description - Magnetic latch relays are electromechanical power-switch- 
ing components. They have two coils (A and B in Fig. 3. 5.1-1 and 
3. 5. 1-2), one for set and one for reset. They require only pulse power 
to transfer and do not require any steady-state coil power. All 
space-qualified units are in a nominal 28-Vdc contact rating. 

Principal Operating Characteristics - Energizing Coil B produces a mag- 
netic field opposing the holding flux of the permanent magnet in Cir- 
cuit B. As this net holding force decreases, the attractive force in 
the air gap of Circuit A, which also results from the flux of the per- 
manent magnet, becomes great enough to break the armature free of Core 
B, and snaps it into a closed position against Core A. The armature 
then remains in this position on removal of energy from Coil B, but 
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State of the Act - These are mature components with many space-quali- 
fied units for 28-Vdc systems. Development is required for 120-Vdc and 
240-Vdc systems. 

Flight History - These devices have flown on many spacecraft. 

V 

Types/ Manufacturer - The following types are available for space 
applications : 


Mfg 

P/N 

Contact 

Vdc 

Adc 

Weight, 

gm 

Size, 

in. 

Hartman 


28 

30 

224 

1.8x1.99x1.51 

LEACH 

ICCL Series 

28 

25 

85 

Ixlxl 

LEACH 

JA Series 

28 

' 10 

40 

1x1x0. 5 

LEACH 

X Series 

28 

5 

15 

0.4x0.8x0.65 


3.5.2 Motor-Driven Switch 

Description - These components employ a dc motor to make and break the 
contacts. Contacts are usually DPDT although the user can specify the 
form of the contacts.. Motor drive is normally 28 Vdc. Internal limit 
switch stops the motor after opening or closing the contacts. 


Principal Operating Characteristics - Table 3. 5. 2-1 summarizes the 
electrical performance of a typical motor-driven switch. 


Table 3. 5. 2-1 Motor-Driven Switch Electrical Performance 


Parameter 

Requirement 

Contact Drop: 
Dielectric Strength: 
Operate Time: 

Motor Current: 
Contact Rating: 
Overload: 

Rupture : 

Life: 

Less Than 100 mV 

1000 Vgjqg for 1 min, w/o Failure 

100 ms 

8 to 11 A, 32 V 

28 Vdc, 200 A Continuous 

750 A (Make and Brake) 

2000 A 

2500 cycles at 28 Vdc, 200 A 
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State of the Art - Space-qualified components have been used on mis- 
siles and spacecraft for years. 

Flight History - Flown on most missiles and many spacecraft. 

Types/Manufacturer - Kinetics Corp. , 10-, 20-, 50-, 100-, and 200-A 
ratings. 

3.5.3 Solid-State Switch — RPC 

Description - Solid-state remote power controllers (RFC) are switching 
devices that combine in one unit the capability to perform all the 
functions of load switching, overload protection, and direct indication 
of load status. 

RPCs are designed to be located near the load and communicate control 
and status information remotely via low-level signals. Figure 3. 5. 3-1 
is a functional block diagram of RPC in a typical application. The 
packages range from 3.8x3. 8x2.3 cm, weighing 77 g, to 4. 8x4. 8x3.1 cm, 
weighing 142 g for the 28-Vdc version. 



Figure 3, 5. 3-1 RPC in a Typical Application 
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Principal Operating Characteristics - Operation of an RPC is relatively 
straightforward. Bus voltage must exist at the power input to which 
the positive control voltage is applied. The control section is opti- 
cally coupled to the logic and internal power supply. With the trip- 
and-latch circuit armed, the switch-driver circuit is activated to turn 
on the main power switch and energize the load in a controlled manner 
(Fig. 3. 5. 3-2). Once the RPo is activated, it sends back an “on" sig- 
nal for status indication. In the event of a fault condition, the RPC 
will either limit, integrate, or trip, depending on the nature of the 
overload. A trip will result in de-energizing of the load and a trip 
indication on the status line. Table 3.5. 3-1 lists operating parame- 
ters for the 28-V version. 



Figure 3. 5.2-3 

Functional Block Diagram of an EPC Showing Each Basic Function 
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Table 3.5. 3-1 Operating Parameters 


Operating Voltage: 

24 to 34 Vdc 

Current Ratings: 

3 A, 5 A, 7 A, 10 A, 15 A, 20 A 

Current Limiting: 

125 to 150% of rated 

Overload-Trip Time: 

2 to 3 s 

Rlse-and-Fall Time: 

0.3 to 6 ms 

Control Voltage: 

5 to 7 V (Off), 9 to 12 V (On) 

Control Current: 

10 mA max 


State of the Art - Space-qualified units are available (see Fig. 
3. 5.3-3 for typical packaged RPCs). 


Flight History - Each Space Shuttle Orbiter contains more than 500 RPCs 
in six ratings from 3 to 20 A. 


Types/hanufacturer - Typical ratings and types available from Westing- 
house are: 


28 Vdc, 3 to 20 A 
120 Vdc, 5 to 300 A 
270/300 Vdc, 4 A, 2 A 
230 Vac/400 Hz, 1.5 A 
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Figure 3.5. 3-3 

Cutaway View of Packaged Remote Power Controllers 

3.5.4 Fuses 


Description - A fuse is a device used t.o protect electrical-system com- 
ponents from fault currents. Two conditions exist where a fuse will 
open. The first is an overload current, where the current rating is 
exceeded by any marginal percentage. The second is in the event of a 
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direct short circuit, in which the fault current, (in the absence of a 
protection device), would exceed the rated current by many orders of 
magnitude. Tne possibility exists that a component such as a circuit 
breaker can be completely destroyed under short-circuit conditions 
while the fuse opens and protects the user from the fault current. The 
current-limiting capability of the fuse should allow components with 
low short-circuit tolerances to be specified. 

Principal Operating Characteristics - Puses are characterized by their 
rated current voltage and "let-thru" current values (Ref 33). Current 
rating is a nominal value expressed in amps to which the fuse can be 
loaded based on a controlled set of test conditions. Voltage rating 
indicates the value at which the fuse can safely interrupt a fault cur- 
rent. Peak let-thru current is the current value that flows at the 
time the fuse blows (Fig. 3. 3. 4-1). 

The area under the curve indicates the amount of short-circuit energy 
being dissipated in the circuit. 

Magnetic forces and thermal energy are directly proportional to the 
square of the current. This implies that the fault current must be 
limited to as small a value as possible in as short a time as possi- 
ble. Figure 3. 3. 4-2 shows a typical relation of blow time versus fault 
current in percent of rated current. 

State-of-the-Art - Fuses are a m.«* tutfe technology * 

Flight History - These devices have flown on several spacecraft. 

Types Available - A large number of different types exist from several 
suppliers. 
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„ . _ . _ Blowing Time in Seconds 

Fvgure 3. 5. 4-1 

Typical Current-Limiting Characteristics Figure 3. 5,4-2 

of Fuses Typical Fuse Blow Time Characteristics 

3.5,5 Circuit Breaker 

Description - Circuit breakers, like fuses, are a protection device and 
function to protect the power wiring. The type used on the Space Shut- 
tle Orbiter are thermal circuit breakers. This type of breaker is de- 
pendent on temperature rise in the sensing element for actuation. Tem- 

2 

perature rise in the sensing element is caused from load-current I R 
heating. This causes deflection of the element (e.g., bimetal), which 
will cause the circuit to open. The size of the thermal element, its 
configuration, physical shape, and electric resistivity, determine the 
current capacity of the breaker. 

Principal Operating Characteristics - The Series-431U ambient tempera- 
ture-compensated miniature circuit breaker is a lightweight single- 
phase breaker. This device is designed to operate under severe envi- 
ronmental conditions. Table 3. 5. 4-1 lists operational data. 
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Table 3.5. 4-1 Typical Circuit-Breaker Characteristics 


Minimum Limit of Ultimate Trip: 

Mo trip within 1 h at 110% load, 
25°C. 

Maximum Limit of Ultimate Trip: 

Trip within 1 h at 145% load, 25 °C. 

Overload Cycling: 

Minimum of 100 cycles at 200% rated 
current . 

Interrupting Capacity: 

1 to 20-A models: 6000 A at 28 Vdc. 

Dielectric Strength: 

1250 Vac 

Insulation Resistance: 

100 megohm at 500 Vdc. 

Weight: 

25 g. 


The breaker characterized above was built to Rockwell specifications 
for use in the Space Shuttle orblter. Other types were used as well. 

State-of-the-Art - Space-qualified units are available. 

Flight History - Circuit breakers have been used on manned missions 
(Sky lab ana Space Shuttle Orbiter). 

Types /Manufacturer - Many types are available; for example, see Mechan- 
ical Products, series 4310 and Series 4330, used on Shuttle Orbiter. 

3.5.6 Cabling 

Description - Cables are insulated conductors used to transmit electri- 
cal energy to all the various subsystem components. The most common 
material used is copper because of its high electrical conductivity, 
ductility, and resistance to wear and fatigue. Copper-alloy conductors 
are desirable because they permit significant size and weight reduc- 
tion. Aluminum conductors could represent a great weight savings 
(50%); however, they have low tensile strength, poor flexibility, and 
crimp poorly to terminals. 
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There are many types of insulation available that are suitable for 
aerospace applications. The best of these and their properties are 
shown in Table 3.5. 6-1. 


Table 3. 5. 6-1 Characteristics of Various Insulation Materials 



Polyvinyl 

Fluoride 

Kynar 

FEP 

Fluoro- 

plastic 

Polyimide 

Kapton 

Teflon 

Polyimide 
Nylon 6 

Tensile Strength, psi 

7000-18, 000 

2500-3000 

25,000 

3000 

9000-18,000 

Elongation, % 

115-250 

300 

70 

250-330 

250-500 

Burst Strength, Mullen 
Points, 1-mil Thick 

19-70 

11 

75 

11 

Elongates 

Tearing Strength, Ib/in. 

997-1400 

600 

232 mil 

600 

1000-1200 

Water Absorption, 24 h, 
%-Wt Gained 

0.5 

' 

0.01 

2.9 

Neg 

9.5 

Temperature Limits, °F 

- High 

— Low 

220-250 

-100 

440-525 

-425 

750 

-450 

392 

-112 

200-400 

-100 

Dielectric Constant at 
103 Hz 

8.5 

2.0-2.05 

3.5 

2.1 

3,7 

Dielectric Constant at 
1C)9 Hz 

1.6 

2.U5 

3.4 

2.05 

3.4 

Dielectric Strength, 
V/mil 

7000 

3500 

7000 

7000 

1300-1500 


Thermal derating is based on the wire-bundle configuration. The derat- 
ing factor considers the temperature rise due to reduced thermal view 
and thermal conductivity of the bundle. For example, flat conductor 
cable requires the least derating, owing to a greater surface area not 
common to the other conductors (Fig. 3. 5. 6-1). 

A cylindrically assembled bundle requires more derating to keep operat- 
ing temperatures low. 
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Figure 3. 5. 6-1 Derating Curves for Multiple Cable Assemblies 

Principal Operating Characteristics - Power conductor parameters are 
listed in Table 3. 5. 6-2 for different materials. Table 3. 5. 6-3 shows 
performance information for these types of materials. 

S tate-of- the-Art - Copperclad aluminum cables and bus bars are present- 
ly used in space programs. Sodium and intercalated carbon fibers rep- 
resent new technology (Level 3). Sodium conductors would be extremely 
lightweight, and intercalated carbon would reduce cost as well as lower 
the weight. 
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Table 3. 5. 6-2 Power Conductor Characteristics 
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Parameter 

Copper* 

Aluminum* 

Sodium^ 

Intercalated 

Carbon 

Fibers^ 






Relative Conductivity, 

% 

100 (Ref) 

61 

40 

TBD 

Volume Resistivity, 
ohm- cm 

1.72 x 10 -6 

2.82 x 10' 6 

4.3 x 10" 6 

3.5 x 10 " 6 
To Date 

Density, g/cc 

8.89 

2.70 

0.97 

2.7 

Temp Coefficient of 
Resistance 

-0.O0393 

-0.00410 

-0.0044 

TBD 

Coefficient of Linear 
Expansion/ °C 

17 x 10 -6 

23 x 10“ 6 

62 x 10 -6 

1 x 10“ 6 

Melting Point, °C 

1083 

659 

' 

97.5 

N/A 

Electrical Resistivity 

15.3 x 10" 6 

7.61 x 10" 6 

4.17 x 10 -6 

9.5 x 10 -5 

Relative Density to 
Conductivity Ratio % 

100 

50 

27 

618 To Date 


*Present 

*Near-Terra 

"Far-Term 


Flight History - 

Copper Types Used Extensively 
Sodium - None 

Intercalated Carbon - None 
Types Available - Copper 



Table 3. 5. 6-3 Power^Conduotor Performatnae Information 


Parameter 

Copper 

CdCrCu 

Aluminum 

Sodium 

Intercalated 

Carbon 

Tensile Strength 
(Also Improved By 
Insulation), psi 

32,000 

68, U00 

13,000 

N/A 

300-1000 

Flexibility 

Reference 

3X Copper 

1/3 

Copper 

Depends 

On 

Sheath 

TBD 

Crimp 

Terminability 

‘ 

Excellent . 
Crimping 
Tools De- 
signed 
Around 
Copper 

Very Good. 
Greater Crimp- 
ing Force 
Required 

Poor. 

Tends to 

Creep, 

Causing 

Looseness 

and 

Arcing 

N/A 

N/A 

Solderability 

Excellent. 
Mild Flux 
Usually 
Required 

Very Good. 
Stronger Flux 
Required 
with Alloys 

Very Poor. 

Special 

Flux 

Required 

N/A 

N/A 

Stability 

Fair. 

Prone to 

Oxidation 

and 

Chloride 
and Sulfide 
Tarnish 



Same as Copper, 
Except Alloying 
Decreases Rate 
of Attack 

Excellent , 
Except in 
Chloride 
Environ- 
ment 

Good 
Only in 
Space 
Environ- 
ment 

Excellent. 


3.0 POWER-TRANSFER DEVICES (GIMBALS) 

3.6.1 Slip P'.ings 

Description - Slip rings are used to transfer electrical power and sig- 
nals from the solar-array and sun-sensor preamps to a stationary por- 
tion of the structure. Under NASA contract NAS3-22266 on power manage- 
ment technology, Poly-Scientific Corp. evaluated the feasibility of 
producing a slip-ring capsule assembly (Ref 35). This module design 
serves as a good example of present slip-ring technology. 



The slip-ring capsule was designed in 25-kW sections to be combined 
into a 100-kW capsule. Table 3. 6. 1-1 lists physical/mechanical charac 
teristics. 


Table 3. 6.1-1 Physical and Mechanical Characteristics 


Length: 

11 in. 

Outside diameter: 

5.5 in. 

Weight: 

13 lb 

Rings, Number: 

8 Total, 4 +, 4 - 

Material: 

Coin Silver, (9 Ag-10 Cu) or Hard Silver 


Electrodeposit 

Brushes, Number: 

6 per Ring 

Material: 

Silver, Molydisulfide, and Graphite 

Life: 

5 Years 

Current Density: 

62.5 A/in.^, Normal; 150 A/in.^, Emergency 

Drive Torque: 

8 in. -lb 


Principal Operating Characteristics - The slip-ring capsule assembly 
may be used to reliably and efficiently transfer 100-kW of power in 
space. Table 3.6. 1-2 summarizes the electrical operating parameters. 


Table 3. 6. 1-2 electrical Parameters 


Voltage: 

400 Vdc 

Current: 

62.5 A per Module; 250 A Total 

Power: 

100-kW, 4 to 25-kW Modules 

Contract Drop: 

0.090 V 

Power Loss: 

45 W 


State-of-the-Art - Slip rings are a mature technology (Level 8) and are 
applicable for 100-kW range. 

Flight History - See Table 3.6. 1-3. 

Types/Manufacturer - See Table 3. 6. 1-3. 
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Table 3.6. 1-3 

Flight History Space Slip Rings and Poly-Twists Preliminary 
Poly -Scientific Data 


P/.N 

Application 

. ' 

Customer 

Type 

FK1806 , 7 

Nimbus SA 

TRW 

Sep 

D1836 

Tiros 

BBRC 

Cap 

BQ1946 

Not Defined 

Cap 

Comp 

ET2U1U 

OSD 

BBRC 

Cap. 

EW2063 

Apollo Ant. 

Dalmo Victor 

Cap. 

F12076 

INT IV A 

HAC 

Sep 

BN2Q98 

Mars Probe 

GE 

Cap. 

ET2189 

Scoop 

BBRC 

Cap. 

D2255 

Skylab 

Bendix 

Cap. 

FK2334 

Viking 

TRW 

SW 

ET2374 

Atm Exp 

BBRC 

Cap. 

FL2391 

OSO 

HAC 

Cap. 

AS2431 

Dom Sat. 

RCA 

Sep 

ET2445 

CTS 

BBRC 

Cap. 

FK2450 

FjlT SAT. COM 

BBRC 

Sep 

FK247U 

Solar Array 

TRW 

Cap. 

DQ2614 

Not Defined 

LMSD 

SW 

DQ2615 

Solar Array 

LMSD 

Cap. 

D2634 

ELMS 

Bendix 

Cap. 

AS2646 

TEL SAT. 

RCA 

Cap. 

JP2650 

OTS 

HSD 

Sep 

AC2737 

Not Defined 

- 

Cap. 

DQ2769 

Sea Sat. 

LMSD 

Cap. 

ET2793 

P78-2 

BBRC 

Cap. 

KU2832 

INT V 

FACC 

Sep 

FK2857 

TDRSS 

TRW 

Sep 

FL2907 

SBS 

ANIK-C , D 

Hughes 

Sep 


Legend : 


Cap. - Capsule SW - Switch 

P - Pancake Tape - No Contacts, Tape Conducts 


3.6.2 Roll Ring 


Description - The roll ring is a device for transferring power across a 
rotary joint. This approach incorporates a complex structure of me- 
chanical parts (Fig. 3. 6. 2-1), which significantly reduces friction. 

The dimensions of a developed device are 25 in. long, 10-in. diameter, 
and it weighs 30-kg. 
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Figure 3. 6. 2-1 Cutaway of 11-Contact Roll-Ring Capsule (Ref 34) 


Principal Operating Characteristics - Table 3.U.2-1 lists roll-ring 
performance characteristics identified in Reference 34. Its design 
goals are: 


1) Provide transfer of power ranging from 10 kW to 100 kW; 

2) Be capable of handling high voltage independent of the environment- 
al pressure} a 1000-V criteria was used to force a solution of the 
high-voltage corona problem for high-power systems in vacuum, with 
potential operation pressures in the critical-pressure zone; 

3) Transfer power with a minimum size and weight; 

4) Meet long-life operating requirements ranging from three to 10 
years, with rotation up to 36,000 revolutions; 

3) Provide redundancy in the power-transfer lines; 



6) Ensure wearout-f allure modes are open-circuit type; 

7) Transfer power with unlimited angular rotation. 


Table 3. 6. 2-1 Roll-Ring Performance Characteristics 


Parameter 

■ 

Capability 

Rotation Limit 

Internal Pressure, mm Hg 

Voltage Limit 

Max Current, A 

Corona Problem 

Life 

Conductor Size and Number 
Angular Rotation 

Unlimited 
760 x 1(T 8 
200 
10 
Yes 

Millions of Rev 

Fixed 10 (Bearing Friction) 

XI 


State-of-the-Art - This is a new technology device (Level 4). 

Flight History - None 
Types/Manufacturer - None 
3.6.3 Rotary Transformer 

Description - A rotary transformer designed by GE (Ref 35) consists of 
a primary core with windings and a secondary core with windings in a 
cylindrical configuration. The secondary core encloses the primary 
core, which has a shaft through the center. The secondary can be sup- 
ported by a housing that is connected to the spacecraft structure. The 
primary core/shaft assembly can rotate freely within the secondary 
core. This configuration allows energy to be transferred through a 
rotary joint by magnetic induction once power conditioning electronics 
are connected to the rotary transformer. The transformer characteris- 
tics are listed in Table 3. 6. 3-1. 

This device is being developed for use with a series resonant convert- 
er. The power per module is based on a 25-kW design, however there are 
no inherent limitations to the power levels. 
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Table 3.6. 3-1 Rotary Transformer Charaoteristias (Ref 35) 


Core 


Outside Diameter 

9.0 in. 

Air-Gap Diameter 

5.35 in. 

Inside Diameter 

2.0 in. 

Air-Gap Length 

0.01 in. 

Width of pole 

0.6 in. 

Winding 


Primary Resistance, 100°C 

0.0053 ohms, dc 
0.0136 ohms, ac 

Secondary Resistance, 100°C 

0.029 ohms, dc 
0.120 ohms, ac 

Primary Inductance 

19 H 

Secondary Inductance 

51 H 

Weight , lb 


Copper 

7.1 

Core 

15.7 

Losses 


I 2 R 

141 

Core 

89 

Efficiency 

99% 

Thermal 

Primary 


Sink Temperature 

60 °C 

Core Temperature 

100 °C 

Coil Temperature 

105 °C 

Secondary 


Sink Temperature 

60°C 

Core Temperature 

63°C 

Coil Temperature 

66°C 


Principal Operating Characteristics - Four 25-kW modules combine to 
provide lUO-kW capability. A drive module provides a rotational capa- 
bility from one revolution per day to one revolution every 90 minutes 
using a stepper motor, speed reducer ; and clutch. Table 3. 6. 3-2 lists 
the basic operating characteristics of the system. 

S tate-of-the-Art - This is a new technology item (Level 3) . 

Flight History - None 

Types/Manufacturer - None 
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Table 3.6. 3-2 Operating Characteristics of 100-kW Rotary Transformer 


Input from Solar Array 

Power 

100 kw 

Voltage 

440 V 

Output from Rotary 

Power Transfer Device 

Voltage 

1000 V 

Frequency 

20 kHz 

Power Conditioning Electronics 

Resonant Circuit 

(Schwartz) 

Rotary Transformer 

Power 

100 kW 

Input Voltage 

400 V 

Input Current 

70 A 

Output Voltage 

1000 V 

Frequency 

20 kHz 

Inductance 

75 H 

Configuration 

Concentric Cylinder 
4- to 25-kW Nodules 

Two Parallel Secondary Windings per Module 

Rotational Period 

90 minutes to 24 hours 

Efficiency 

Greater than 95% 

Environment 

Shuttle Launch 

Temperature 

- Nonoperating 

-20° to 80°C 

- Operating 

80° Heat Sink, Rotary Transformer 

60° Heat Sink, Power Conditioning Electronics 

Life 

5 years 


3.6.4 Flex Cable 


Description - A simple approach to rotational power transfer, is the 
Lockheed designed and developed twist flex unit (Ref 34). This tech- 
nique permits power transfer through insulated wire bundles from one 
rotating disk to a second rotating disk. The disks are mounted on a 
shaft (torque tube) that connects to a bulkhead. 
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The wire bundle is made up of 40 pairs of 16-gauge wire, 72 pairs of 
24-gauge wire, and eight twin*>k. The unit is 13-in. diameter, 25-in. 
long, and weighs 10 kg. 

Principal Operating Characteristics - Table 3. 0.4-1 is a list of the 
primary characteristics. 


Table Z.6.4-1 Twist Flex Characteristics 


Parameter 

Capability 

Rotation Limit 

Internal Pressure, min Hg 

Voltage Limit 

Max Current, A 

Corona Problem 

Life 

Particle Generation 
Major Failure Mode 
Conductor Size 
Angular Rotation 

+205 Deg 
700 p 10" 8 
400 V 
15 A 
None 

0.4 x 10 8 Rev Demonstrated 

None 

Open 

Simple to Revise 
X2 


State of the Art - The design has been fully developed. 

flight .history - None. 

Types /Manufacturer - LMSC. 

3.7 SENSORS AND SIGNAL CONDITIONING 

3.7.1 Ac Voltage and Current Sensors 

Description - Ac voltage and current sensors are devices (usually mag- 
netic) that provide a calibrated analog signal acceptable to condition- 
ing or control electronics. 

Principal Operating Characteristics - A common method of sensing alter- 
nating current involves a current transformer. The conductor carrying 
the current to be measured is taken to be the primary winding. The 
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voltage developed on the secondary is proportional to the primary cur- 


rent. Figure 3. 7. 1-1 shows a typical current-transformer approach 
(Ref 7). 



True RMS current can be detected using the circuit shown in Figure 
3. 7. 1-2. In this case, current is sensed with a shunt, another common 
sensing element. A 3-V p-p signal input to the true RMS converter pro- 
duces a 3-Vdc output signal. 



Figure 3.7. 1-2 Shunt and True rms Converter 
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Standard operational amplifiers scale the shunt signal to the appropri- 
ate values. Ac voltage monitoring is also sensed magnetically. A 
transformer easily scales the voltage down to a small signal that can 
be rectified and filtered. 

State of the Art - These devices have been fully developed (Level 8). 


Flight History - 

Types/Manufacturer - These devices are custom-made items. 

3.7.2 Dc Voltage and Current Sensors 

Description - These devices provide a calibrated analog signal to the 
conditioning system. Voltage measurement usually involves a resistor 
divider and an op amp. Dc-voltage measurement is somewhat simpler than 
ac, whereas the opposite is true for dc-current measurement. A current 
can easily be transduced with a shunt; however, this method is only 
practical at the lower levels. Mag-amps are used for nonintrusive 
sensing of high currents and are more complicated. 

Principal Operating Characteristics - A dc voltage sensor can be made 
simple and reliable. Figure 3. 7.2-1 is a schematic of a typical volt- 
age transducer. The variable divider is R1 and R2. Amplifier A1 is 
used as a difference amplifier; that is, it rejects common-mode volt- 
ages when R1 and R2 are at the source. A2 is a unity-gain inverting 
amplifier. For positive input voltages, the output is taken from the 
output of A2. For negative input voltage, the output is taken from the 
output of Al. The output impedance of this transducer is low because, 
for both positive and negative source voltages, the output is an opera- 
tional amplifier with a gain of -1. Table 3. 7. 2-1 shows the principal 
features of a dc voltage transducer. 
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Note: 1. 

A1 end A2 LM741-CN 

2. 

All R 12, 1/4 H RN 55 


Figure 3.7. 2-1 Fa Voltage Transducer , R Divider, and Operational Amplifier 


Table 3. 7. 2-1 

Da Voltage Transducer Design Details 


Source Voltage, 
Full Scale 

Source Voltage, 
Nominal 

— 

R1 

R2 

E(Out) 

Full Scale 

65 

56 

103 kohm 

20 kohm 

3 V 

40 

30 

61 kohm 

20 kohm 


8 

5 

8.3 kohm 

20 kohm 


+20 

15 

2.8.3 kohm 

20 kohm 


-20* 

-15 

28.3 kohm 
: 

20 kohm 



*For -20 V, delete R7 , R6, R8, and A2. Use El as output 


Figure 3. 7. 2-2 shows the type of mag amp used on the Viking Orbiter '75 
(Ref 7). Each toroid core (A & B) has an excitation/reset coil that is 
connected to the drive circuitry as shown. CR1 and CR2 always steer 
the current through coil 6,5 in the same direction, while alternately 
resetting the cores on opposite half cycles. Dc load current passes 
through the toroids via coil 7,8. The output voltage is determined by 
the product of the turns ratio times the load current times the resis- 
tance of R3. 
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Figure 3. 7. 2-2 

Viking Orbiter *75 Type of Magnetic Amplifier Current Transducer 


State of the Art - These devices have been fully developed. 

Flight History - N/A. 

Types/Manufacturer - These devices are custom-made items. 

3.7.3 Temperature Sensors 

Description - Materials that change resistance by some function of tem- 
perature are normally used as temperature transducers. Typical ones 
are platinum wire segments, resistors, and copper. 
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Principal Operating Characteristics - These devices are commonly used 
in a balanced resistive-bridge configuration. Imbalance due to temper- 
ature change can be sensed differentially across the bridge. Figure 
3. 7. 3-1 is a schematic of this type of circuit. It is scaled to pro- 
duce zero output at 32 °F and +3V at 150 °F. The thermistor Rl, R.2, and 
R3 form a bridge. Amplifier Al, along with R4, R5, R6, and R7, convert 
the common-mode voltages across the thermistor and R3 into a single- 
ended voltage. A2 is an adjustable-gain amplifier used to set the 
scaling in a precise manner. An amplifier with a guaranteed low offset 
voltage is used for Al to preclude trimming of offset voltages and to 
achieve minimum error due to Al offset voltage. 


Ik 


R6 


R4 


Zj^TL 

R8 




-ws 

— v 

R5 

A~ ♦ 

75k i 

«^LM308 
! R7 

20k 


100k 

— To A/D 

LM741 

A/D Return 


Figure 2.7. 3-1 Thermistor-Bridge Temperature Sensor 

State of the Art - These devices have been fully developed. 
Flight History - Used on all spacecraft. 

Types/Manuf acturer - All ranges are available for custom design. 
3.7.4 Pressure Sensors 


Description - Pressure measurements can be accomplished reliably by 
using a metallic strain gauge (Ref 36). Pressure in a container will 
induce stress on the solid, constraining material, which can be meas- 
ured using a strain gauge. Metallic strain gauges are formed from thin 
resistance wire or are etched from thin sheets of metal foil. Figure 
3. 7.4-1 shows a bondable wire-grid strain gauge. 




Figure 3. 7. 4-1 

Uniaxial Strain Gauge , 

(a) Wire, (b) Foil (Gould 
Inc, Mesaurement Systems 
Division) 
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Many types of material are used to fabricate these devices, such as 
Constantan, Nichrom V, and Stabiloy. Typical sizes range from l/8xl/8 
in. to lxl/2 in. 


Principal Operating Characteristics - In the usual application, the 
strain gauge is cemented to the structure whose strain is to be meas- 
ured. The adhesive material must hold the gauge firmly to the struc- 
ture, yet it must have sufficient elasticity to give under strain 
without losing its adhesive properties . The adhesive should also be 
resistant to temperatures, humidity, and other environmental conditions. 

Connecting tour gauges in a bridge configuration is the most common 
method of electrically sensing the changing resistance. Having two 
gauges active and two gauges inactive provides a balanced, tempera- 
ture-compensated bridge circuit. Signal amplification and scaling are 
performed in the Usual manner. 

State of the Art - These devices have been developed, tested, and used 
extensively. Present development is directed toward microminiature 
semiconductor versions. 

Flight History - Intelsat 5 and 6 have used strain gauges for Ni^ 
battery pressure sensing. 



Types/ Manufacturer - 


Uniaxial, Wire or Foil 


Two- and Three-Element Rosettes 


Signal Conditioning Custom Design 
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TASK 2 - DEFINITION OF FAULTS AND FACTORS AFFECTING EPS PERFORMANCE 


OBJECTIVE AND SCOPE 

The objective of this task is to (1) develop a comprehensive list of 
electrical power system (EPS) faults, activities in other subsystems, 
and other factors that could prevent the power subsystem from function- 
ing properly, and (2) define their operational impact on the EPS. 

SUMMARY 

Inputs to this task were the components of a generic EPC developed in 
Task 1. A "fault" is defined to include all types of failures and de- 
gradation modes. 


A summary of the major EPS failure and degradation modes is shown in 
Table 4-1. The only EPS failures that could result in catastrophic 
loss of the spacecraft are explosion of the Nif^ pressure-vessel and 
failure of a series-resonant inverter capacitor. Both of these poten- 
tial failures must be eliminated by design, worst-case analysis, and 
test, and not by automation. Table 4-2 is a list of operational im- 
pacts resulting from failures. 


A summary list of other subsystems and activities 
EPS is given in Table 4-3. A summary of unknowns 
EPS is given in Table 4-4. There are two methods 
failures: 


that could affect the 
that could affect the 
for considering 


1) Undetected and uncorrected; 


2) Timely detection and correction. 


Table 4-1 Major EPS Component Failure and degradation Modes 


EPS Component 

Major Failure Modes 

Degradation Modes 

Photovoltaic 

- Open 

- Filter, Antlreflective 

Array 

- Short 

Coating 

- Arcing 

- Power Loss Due to 
Plasma Interaction & 
Charged-Particle 
Radiation 

Slip Rings 

- Short 

- Particle Generation 
from Brushes (Major) 

Roll Rings 
Twist Flex 

- Open 

- Open 

- Particle Generation 
from Rings (Minor) 

P3 (Dc/Dc 

- Shorted Series- 

- Efficiency 

Converter) 

Pass Transistor 
- Output Overvoltage 

- Ripple 

Transformer- 
Coupled Converter 
(Dc/Dc Converter) 

- Output Overvoltage 

- Efficiency 

- Ripple 

Series-Resonant 

Inverter(Dc/Ac 

Converter) 

. 

- Shorted Semiconductor 
Power Switch 

- Shorted Commutating 
Diode 

- Output Overvoltage 

- Input Cap Destruction 
By Overvoltage 

- Efficiency 

Photovoltaic 
Array Voltage 
Controller 

- Loss of All 
Output from an 
Array 

- Partial Loss of 

Control & Regulation 

Magnetic 

- Fail to Operate 

- Increased Contact 

Latching 

Relays 

- Transfer when 
Not Commanded 

Resistance 

Remote 

- Fail to Transfer 

- Increased Contact 

Power 

- Spurious Transfer 

Resistance 

Controllers 

- Oscillation 

- Fail to Limit Rise 
& Fall Time of 
Current 

- Fail to Limit 
Fault Current 

- Loss of Status 
indication 








Table 4-1 (eonol) 


EPS Component 

Major Failure Modes 

Degradation Modes 

Fuses 

- Opens at Current 
Less Than Spec 

- Does not Open at 
Spec Current 


Cabling 

- Open 

- Short 

- Insulation Life 
Degraded Due to 
Excessive Temperature 
or Voltage 

Sensors 

- No Output 

- Accuracy Out of Spec 

- Out of Calibration 

Chemical Turbo 
Machinery 

■ 

- Reactant Leakage 

- Turbine Mechanical 
Failures 

- Generator Electrical 

Failures 

. 


Regenerative Fuel 
Cell, Electroly- 
sis and Fuel Cell 

- H2 in O2 Manifold 

- O2 in H2 Manifold 

- V/I HI/LO 

- Absolute Pressure HI/LO 

- Excessive H2 and 
0 2 P 

- Temps Hi/Lo 

- Voltage Regulator 
Out of Spec 

Separator Electrode 

Nickel- 

Cadmium 

Battery 

- Shorted Cell 

- Open Cell 

Due to Cell Reversal 

- Loss of Capacity 

- Low Voltage 

- Overpressure Failure 

Nickel- 

Hydrogen 

Battery 

- Pressure Vessel 
Leak Resulting in 
Open Cell/Cells 

- Overpressure 
Failure Due to 
Overcharge 

- Loss of Capacity 

- Low Voltage 

Lithium- 

Thionyl- 

Chloride 

Primary 

Battery 

- Open Cell 

- Shorted Cell (Which 
Can Cause Other Fail- 
ures, Including 
Overpressure) 

- Low Final Voltage 

- Loss of Capacity 
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Table 4-2 List of Operational Impacts 


Catastrophic Loss of the Spacecraft 

- Complete Loss of Mission Functions 

- Partial Loss or Degradation of Mission Functions 

- Loss or Degradation of a Subsystem Function 

Loss of Fault Management or Maintenance Capability 
No Significant Impact 


Note : 

Above definitions are from JPL Report SD-TR-82-58, Autonomous Space - 
craft Design and Validation Handbook. April 30, 1983. 




Table 4-3 Other Subsystems and Activities That Can Affect the EPS 


Subsystem 

Failure/Activity 

Effect 

Operational 

Impact 1 *' 

Structures 

Modular Buildup 

Reduced Power 

3,4 

Thermal Control 

Impaired Capacity to 
Jettison Waste Heat 

Reduced Power 

3,4 

User Loads (All 
Subsystems and 
Payloads) 

Shorts or Overloads 

Bus Undervoltage 

3,4 


Large Differences in Day 
and Night Power at Buses 

May Reduce Bus 
Power Capability; 
Excessive Battery 
DOD 

3,4 

Attitude Control 

Gravity Gradient 
Attitude Mode 

Reduced Power 

3,4 

EPS/Crew Interface 

Crew Commands, Displays, 
New Crew, Interface 
Ambiguity, Mistakes 

Reduced Power 
Capability; Un- 
intended Shutdown 

3,4 

EPS Ground Opera- 

Power Management Config- 

Reduced Power 

3,4 

tions Interface 

uration History; Audit 
Trail or Automated 
Activities; Training; 
Commands /Displays 

Capability 


Attitude Control 

Failure to Maintain 
Required Stable Attitude 
Because of Unknowns in 
Controlling Large, 
Flexible Structures 

Reduced Power 
Capability 

3,4 

Command 

Degraded TM Data 
Transmission 

Reduced Infor- 
mation 

3,4 


Loss of CPU Power 

Reduced Automa- 
tion Capability 

3,4 

Data 

Software Maintenance 

Reduced Power 
Capability 

3,4 


*See Table 4. 4. 1-2. 
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Table 4-4 

List of Other Factors That Could Affect EPS Design and Performance 


Primary Effects On 


Orbital Environment 
and Parameters: 

- Charged-Particle Degradation 

- Thermal Cycling 

- UV Losses 

- Solar Flare 

- Solar Intensity Variation 

- Plasma Interactions 
Station Orientation 
Station Growth 

Life 

Onorbit Maintenance, Rendezvous 
and Docking 
Assembly and Buildup 
Mission Operations 


Solar Array 


Solar Array 

Array, Batteries, Power 

Distribution 

Solar Array, Batteries 

Checkout and Diagnostic Abilities 
Solar Array, Batteries 
All Subsystem Elements 







The most serious failure is one that is undetected and uncorrected. 

This could arise from a lack of redundancy, or a double or triple fail- 
ure. The operational impact of an undetected and uncorrected failure 
can range from complete loss of mission functions to loss of EPS func- 
tions. One object of automation is to provide the resources, monitor- 
ing, and control to ensure that all admissible failures are detected 
and corrected in a timely manner. When there is timely failure detec- 
tion and correction, the operational impact can be lowered to that of 
loss of fault-management capability. The possible impacts of the two 
kinds of failures are summarized as follows: 

1) Undetected and uncorrected failure impacts, 

a) Damage to user loads, 

b) Loss of mission capability, 

c) Safety hazards, 

d) Wiring damage, 

e) Schedule, mission operations, and planning, 

f) Possible drive of SS into shut iwn, survival mode, 

g) Time required to bring SS back up to operational mode, 

h) Time required for damage assessment, 

i) Time for maintenance, resupply, STS future flights, 

2) Timely fault detection and correction impacts, 
a) No damage to user loads, 
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b) Minimum user-load downtime, loads shifted to backup, 

c) Immediate decrease in backup capability, 

d) Requirement for maintenance resupply, 

e) Possible impact on operations that require more backup capabil- 
ity than exists, 

f) Minimized impact on mission by timely fault detection and 
correction. 

The key conclusion drawn from Task 2 is that automation is essential in 
correcting the problems identified and that automation is an enabling 
technology. 

4.1 PHOTOVOLTAIC ARRAY FAILURE MODES AND OPERATIONAL IMPACT 

Failure Modes - A photovoltaic array usually consists of a number of 
series and parallel strings of solar cells. Each string requires an 
isolation diode. For articulating solar arrays, power transfer from 
the array to the power-conditioning equipment may require a slip ring, 
a roll ring, or a "flex ring." 

A catastrophic, single-point failure is the slip ring. A short or open 
in the slip ring causes a loss of all power from the array served by 
that slip ring. An open failure of an interconnect wire (or open iso- 
lation diode) in a series string causes a loss of that string. This 
failure results in loss of a fraction of the array power. There are 
other long-term degradations that result in loss of solar array power, 
such as slow degradation of the cover glass or lens by micrometeorites, 
outgassing, or process failure. 

Environmental impacts on the solar array are possible arcing and loss 
of array power owing to parasitic currents set up in the plasma. If 
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there are gimbals and slip rings on the solar array, this implies a 
tracking servo with commands, electronics, and a stepper motor. There 
are catastrophic failures, degraded accuracy failure, and failures that 
result in oscillation of the servo motor, with premature wear-out asso- 
ciated with the elements of the sun-tracking servo system. Attitude 
control and operational mode can affect the solar array by shadowing 
the array. Shadowing reduces the output of the array and can lead to 
solar-cell failures from excessive heating or reverse-voltage breakdown. 

Operational Impact - A summary of the solar array and associated com- 
ponents and the operational impact of the failure modes is given in 
Table 4,1-1. The operational impacts used are listed in Table 4-2. 


Table 4.1-1 Solar Array Failure Modes and Impaats 


Failure Mode 

Cause 

Effect 

Operational 

Impact 

Solar Array Section 



' 

- Open 

Broken Interconnect, 
Shadowing 

No Power 

2-4 

- Short 

Insulation Breakdown, Arcing 

No Power 

2-4 

Cover Slide, Loss of 
Transmissivity 

Micrometeorites, Outgassing 
from S/C, Process Failure 

Reduced 

Power 

4-6 

Loss of Cover Glass 
Transmissivity 

UV Degradation; Cover-Glass 
Erosion; Plume Deposits 

Reduced 

Power 

4-6 

. 

Isolation Diodes Open 

Process Failure, Lack of 
Redundancy 

No Power 

2-4 

Failure to Track Sun, 
Catastrophic 

- CMD Fail 

- Servo Fail 

- Motor Fail 

Reduced 

Power 

4-6 

Degraded Ability to 
Track Sun 

- Pointing Impairment, 
Structure 

- Servo Oscillation 

Reduced 

Power 

4-6 

Slip Ring Open/Short 

. 

- Lack of Redundancy 

- Inadequate Test 

No Power 

2-4 
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There are no solar-array failures that will cause a catastrophic loss 
of ttie spacecraft. This assumes there is sufficient redundancy that 
loss of a solar-array section or ring can be tolerated. Depending on 
the amount of redundancy present, the Impact of losing a solar-array 
section can range from complete loss of mission functions to loss or 
degradation of EPb functions. Degradation of the cover slide or an-i- 
reflective coatings can range from degradation of EPS capability to no 
significant impact. 

4.2 ENERGY STORAGE FAILURE MODES AND OPERATIONAL IMPACT 
4.2.1 NiCd Cell and Battery 

Failure Modes - A summary of failure modes for NiCd cells is given in 
Table 4. 2. 1-1. To be useful, the cells must be assembled in series and 
parallel interconnections. Approximately 200 series-connected cells 
would be required for a 300-Vdc system, and about 22 cells in series 
would be required for a 28-Vdc system. 

A battery requires operational control and auxiliary systems control. 
Operational control consists of the following three categories: 

1) Charge Control 

2) Discharge Control 

3) Offline Operations 

Typical charge-control limits cell or battery voltage as a function of 
temperature. Amp-hour integration is usually required for depth-of- 
discharge determination. Discharge control involves limiting the maxi- 
mum DOD. For a battery with several hundred cells, individual-cell or 
multiple-cell module monitoring may be required to guard against cell 
reversal during discharge. Cell reversal can result in gas generation, 
case rupture, and loss of battery. 
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Table 4. 2. 1-1 Basic Failure Modes of Nickel-Cadmium Battery Cells 


Failure 

Causes 

Effect 

Low discharge 
Voltage 

Loss of capacity; reduction in 
active material within cell. 

Possible Bus undervoltage 
during discharge. 

Loss of 
Capacity 

Redistribution of electrolyte 
or active material within cell. 
Overcharge or cell reversal. 

Possible unexpected bus- 
voltage drop during 
discharge. 

Open Cell 

Seal failure; break in 
electrode- terminal 
connection. 

Possible unexpected bus 
voltage drop and electrolyte 
or power loss during dis- 
charge — whole string of 
cells deactivated. 

Shorted Cell 

Electrode bridging by 
conductive active discharge. 
Contact between electrodes 
caused by separator 
deterioration. 

Possible bus undervoltage 
active material; power loss 
during charge and discharge. 
Can cause excessive over- 
charge of the remaining 
cells , leading to premature 
failure. 

Cell Over- 
pressure 
(Limited to 
Sealed Cells) 

Gas generation by overcharge or 
cell reversal. 

Possible cell explosion or 
rupture. 


Offline operations include capacity measurement, reconditioning, and 
equalization charging (in the case of several batteries connected to 
one bus). Thus, it is seen that a NiCd battery has traditionally re- 
quired extensive operational controls owing largely to uncertainties in 
its performance with time. A summary of battery-operational control 
failures, their effects, and criticality, is given in Table 4. 2. 1-2. 

When batteries are charged or discharged, they generate heat. If this 
heat can not be removed, the battery will overheat. NiCd batteries are 
generally constrained to operate within narrow temperature limits , 
e.g., 5°C to 15°C, to assure mission life. The upper temperature limit 
is sometimes controlled by minimizing battery discharge or minimizing 
or terminating the overcharge. 



Table 4. 2.1-2 NiCd Battery Operational Control Failures 


Failure 

Effect 

Criticality 

Charge Control 



- Overcharge 

Reduction of Life 

4 

- Undercharge 

Undercapacity 

5 

- DOD Determination 
Failure 

Loss of Ability to Accurately 
Charge 

and Discharge 

5 

Discharge Control 



- Cell Reversal 

Cell Overpressure Failure 

4 

- Excessive DOD 

No Significant Impact if not 
Repetitive 

6 


Repeated, premature battery 
failure 

5 

Offline Operation 



- Capacity Measurement 
Error 

Erroneous Information about 
Battery State of Health, 
Possible Future Over/Under 
Use 

5 

- Reconditioning Failure 

Cells Not Rejuvenated or 
Equalized 

5 


Operational Impact - A summary of generic battery failures for the 
three basic operating modes is given in Table 4. 2.1-3. Under the as- 
sumption that the batteries would not have any function during launch 
or initial orbital assembly, there is no impact from failure here. It 
is possible that loss of battery capacity could cause a partial loss or 
degradation of mission functions, depending on the amount of capacity 
safety factor initially used. 



Table 4.2.1-Z Other Battery Failures 


Failure 

Causes 

Effect 

Complete Battery Loss 

Cell Failure. Cell Reversal 
Due to Discharge Failure 

Loss of EPS capability. 

Battery Capacity 
Degradation 

Excessive DOD Due to Control 
Failure. Insufficient Charge 
Due to Control Failure 

Degradation of EPS 
capability (bus power). 

Thermal Control 
Failure, High 
Temperature 

Inability to Reduce Loads 

Degradation of EPS 
capability. 

Heater Blanket 

Broken Electrical Leads 

Degradation of EPS 
capability. 


The impact of a single-cell failure will depend on whether there is on- 
board cell-level* sensing, switching, and replacement available. If 
onboard cell-replacement is not available, then the impact will be loss 
of EPS battery capability. There would be a further schedule, mainten- 
ance, and STS flight impact to remove and replace the bad cell. If on- 
board-cell replacement were available, the bad cell would be automati- 
cally replaced and the EPS would have full capability. The impact of 
the failure would be loss of fault-management capability in the EPS. 

The number of spare cells would have been reduced by one. When all of 
the spare cells are switched online, tnen the next cell failure would 
result in a battery loss. This is an example of how active redundancy 
management can reduce the severity of a fault impact. 

4.2.2 NiH 2 Cell and Battery 

Failure Modes - A summary of the failure modes of a NiH 2 cell is giv- 
en in Table 4. 2. 2-1. NiH 2 has all the generic failure modes of any 
battery cell such as open, short, and loss of capacity. NiH 2 batteries 


*For a battery string containing 20U cells in series, "cell-level" can be 
"module-level," with the module consisting of 10 to 20 cells that can 
serve as the lowest replaceable unit. 
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require operational control similar to NiCd batteries and are sus- 
ceptible to control failures. A unique feature of Mif^ batteries is 
that their available capacity is proportional to the internal pressure, 
and, therefore, pressure can be used as a control parameter. They re- 
quire pressure vessels and thus are susceptible to a mechanical failure 
that permits to escape from a given cell. A control failure that 
can cause loss of a hil^ battery is overcharging. Overcharging 
causes a pressure buildup that can cause a pressure-vessel failure and 
loss of a battery. Pressure-vessel rupture presents a potential haz- 
ard. Worst-case analysis and qualification of the pressure vessel are 
mandatory to guarantee that there would not be a safety hazard from an 
exploding pressure vessel. 

Operational Impact - All failure impact identified for the NiCd battery 
applies to the Nif^ battery also. 


Table 4. 2. 2-1 Failure Modes of Nickel-Hydro gen Battery Cells 


■ 

Failure 

— — 

Causes 

Effect 

Open Cell 

Seal failure; escape of 
hydrogen gas; break of 
electrode terminal 
connection. 

Possible unexpected bus- 
voltage drop and loss of 
power during discharge; 
loss of battery. 

Shorted cell 
(Primarily a Common 
Pressure Vessel Cell 
Failure) . 

Electrolyte and active 
material redistribution. 

Possible bus undervoltage 
and loss of power during 
charge and discharge. 

Pressure Vessel 
Failure 

Excessive gas genera- 
tion due to overcharge, 
charge-control failure. 

Same as open cell. Cell- 
case rupture hazard. 


4.2.3 Regenerative h ^0„ Fuel Cell 

Failure Modes - A regenerative H^O^ fuel cell consists of an elec- 
trolysis module that separates ^ and 0^ from ^0; a fuel cell to 
generate electrical power from and 0^ and run auxiliary equip- 
ment; a source of power for the electrolysis module (assumed to be a 



solar array); storage for ^O, Og* and a heat exchanger; a 
radiator; pumps; and a voltage regulator for the electrolysis module. 

Failures can be grouped in three areas: 

1) Electrolysis unit; 

2) Fuel-cell unit; 

3) Auxiliary equipment. 

A potential hazard exists when free oxygen and hydrogen are present in 
a system. However, there is general agreement among the fuel-cell man- 
ufacturers that a catastrophic failure is highly improbable. By de- 
sign, they keep the volumes of free hydrogen and oxygen as small as 
possible. The electrolysis and fuel-cell units are quite similar, 
their main difference being the catalysts used to optimize operation as 
an electrolyzer or fuel cell. Ine major failure mode in the electro- 
lyzer or fuel cell is a membrane failure that allows 0 ^ into the H ^ 
manifold or H2 into the 0 ^ manifold. Considering present designs, 
the highest unreliability is in auxiliary equipment. Pumps are known 
to wear out from mechanical failure. The voltage regulator for the 
electrolysis unit is subject to all the standard failure modes of 
power-processing electronics. 

A summary of the failures that can cause shutdown of the electrolysis 
and fuel-cell subsystems is given in Table 4. 2. 3-1. These failures are 
detected by the following types of sensors: 

1) Absolute pressure; 

2) differential pressure level; 

3) Temperature; 

4) Voltage and current. 
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Table. 4. 2. 3-1 Regenerative H qO ^-Fuel-Cell Failure Modes 


Electrolysis Subsystem 

Fuel-Cell Subsystem 

H2 in C>2 Manifold 

O2 in H2 Manifold 

Module Current High 

Module Voltage High 

Cell Voltage Low/High 

H2 Separator Level Low/High 

O2 Separator Level Low/High 

C>2 Separator Level High 

H2O Circulation Low 

Circulating Pump Pressure Low 

H2C Resistivity Low 

H2 Pressure Low/High 

O2 Pressure Low/High 

O2/H2O Outlet Temp High 

H2 Condenser Temp High 

O2 Condenser Temp High 

H2O Temp Low 

H2O Pump Pressure Low 

Module Coolant Temp High 

H2 in O2 Manifold 

O2 in H2 Manifold 

Module Current High 

Module Voltage Low 

Cell Voltage Low 

Product H2O Level Low/High 

Module Coolant Pressure Low 

H2 Outlet Pressure Low/High 

O2 Outlet Pressure Low 

O2 Inlet Pressure High 

(02 Out - H2 Out) Pressure Low 

(O2 In - O2 Out) Pressure Low 

Piston Pressure Low 

Pad Pressure Low 

II2 Temp Low/ High 

O2 Temp Low/High 


Operational Impacts - A summary of the regenerative fuel-cell failure 
modes and operational impacts is given in Table 4 . 2 . 3 - 2 . The opera- 
tional impact of the failure is highly dependent on the amount of re- 
dundancy available to correct the failure. If there were n units 
available and only n -1 were required to satisfy all requirements, then 
the impact of the first unit failing would be only a loss of fault-man- 
agement capability. On the other hand, the operational impact of the 
second unit failing would be a loss of EPS capability. 


Failure of an electrolysis unit would mean ( 1 ) loss of capability to 
store solar-array energy, and ( 2 ) loss of functional redundancy to pro- 
duce breathable oxygen from water and electrical power. If the elec- 
trolysis unit were used to convert wastewater in a closed system, then 
there could be a buildup of wastewater. Loss of a fuel cell would re- 
sult in loss of electrical-power capability and loss of ability to pro- 
duce potable water from hydrogen and oxygen. 



Table 4. 2. 3-2 

Regenerative Fuel-Cell Failure Modes and Operational Impacts 


Failure Mode 

- - - - 

Cause 

Effect 

Operational 

Impact 

Electrolysis Unit 
Failure 

Membrane 

Failure 

Can not convert water 
into hydrogen it oxygen. 

4, 5 

Fuel-Cell Unit 
Failure 

Membrane 

Failure 

No electrical output. 

Can not convert hydrogen 
and oxygen into 
electrical power. 

4, 3 

Auxiliary-Equip- 
ment lump Failure 

Mechanical 

Failure 

Degradation or loss 
of water circulation 
in electrolysis unit, 
loss of ability to store 
solar-array energy. 

4, 5 

Solar Array 
Voltage- 

Regulator Failure 

Lack of 
Redundancy 

Degradation or loss 
of electrical input 
to electrolyzer. Loss 
of ability to store 
solar array energy. 

4, 5 

Thermal Control 
Not Able to Main- 
tain Temperatures 

Lack of 
Redundancy 

Loss of capacity in 
electrolysis & fuel-cell 
units. Can not store 
energy, can not make 
electrical power from 
H 2 and 02 « 

4, 5 


Loss of solar-array capability directly affects energy-storage capabil- 
ity. The regenerative fuel subsystem generates waste heat in both the 
electrolysis and fuel-cell units. If the thermal-control subsystem can 
not dissipate this waste heat, then both the energy storage and elec- 
trical power output of the regenerative fuel cell are directly af- 
fected, causing a reduction in available bus power. 
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POWER CONDITIONING FAILURE MODES AND OPERATIONAL IMPACT 


4 . 3.1 Programmable Power Processor (P ) , Buck Dc-Dc Converter 
Failure Modes - 

1 0''»" 1 t‘ ■ - - ■ »"■* 

1) Shorted pass transistor, P3 in voltage-regulator mode, driven by- 

voltage source. A shorted series-pass transistor is an admissible 

3 

failure mode for a P . The effect is that the source is connected 

3 

to the output. The E design includes a system-level overvoltage 

sensor and shunt switch to keep the voltage below unsafe levels and 

cause the input fuse to open. If the load bus voltage drives up to 

the overvoltage limit, the external shunt switch turns on, and the 

3 

input fuse on the P opens. This prevents possible damage to the 
user loads. 

If there is a double failure, the shorted series-pass transistor 
and the overvoltage sense fails, and then the source would be con- 
nected to the loads. The input fuse might or might not open. This 
double failure may damage the user loads. 

2) Shorted pass transistor, P3 in battery charger mode, driven from a 

3 

solar array. In the battery-charger mode, the P would be driven 
by a solar array. The effect of the failure would be to connect 
the battery across the solar array. The battery would change the 
operating point of the solar array and the array voltage would de- 
crease to that of the battery. The P^ can not correct this con- 
dition because all it can control is its pass transistor. This 

will generally not be a safety problem. Detection and correction 

3 

times of minutes probably will be acceptable. The P detects a 

shorted pass transistor. This status signal can be used to open a 

3 

contactor to remove the P from the solar array. 

3) Input over voltage or current, output over voltage or current, and 
internal over temperature. The effects of any of these failure 
modes are: 
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a) P is sent to shutdown state by Its internal microprocessor, 

3 

b) An external reset is required before P will turn back on, 

c) Output overload current is caused by user loads. 

3 

The P will support an overload for a programmed length of time, 
then it will automatically turn off and wait for a programmed 
length of time. It will then automatically turn on. If the over- 
load Is gone, it will continue normal operation. If the overload 

Is still present, it will continue cycling on/off /on until it re- 

3 

ceives an external command. The net effect is that the P turns 
itself off. 

3 

Operational Impacts - A summary of P failure modes, causes, effects, 
and operational impacts is given in Table 4. 3.1-1. The most serious of 
these is loss of mission functions owing to an undetected and uncor- 
rected shorted pass transistor that results in connecting the high- 
voltage input to the low-voltage output loads. This results In de- 
struction of the user loads. Normally, this fault will be detected and 
corrected by a system-level shunt regulator. In this case, the user 
loads are not destroyed, and the operational impact is reduced to loss 
of fault-management capability. 

The operational impact of low output-power can range from degradation 
of mission function to loss of fault-management capability, depending 
on the amount of redundancy available. If there were no redundancy, 

3 

and the P with low output-power could not be replaced, then the im- 
pact would range from degradation of mission function to loss of EPS 

function. If there were a redundant component that would allow re- 

3 

placement of the failed P , then the operational impact of the fail- 
ure would be reduced to loss of fault-management capability. 

The other faults shown will generally result in an operational impact 
of a degraded EPS function if there is no standby redundancy in. which 
to switch. If there is standby redundancy, then the impact would be 
lowered to loss of fault-management capability. 
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Table 4. 3 .1-1 PS Failure Modes and Impacts 


Failure Mode 

Cause 

Effect 

Operational 

Impact 

v 0ut Hi 

Shorted Pass Transistor, 
Failed 0V Sensor 

Damage Loads 

2 


Shorted Pass Transistor 
(Corrected) 


5 

Low Output 
Power 

Control Circuit Failure 

Partial Loss 
of Power 

3,4 

Efficiency 

Filter Capacitor 
Leakage, Pass Transis- 
tor Switching Loss In- 
crease, Saturation 
Voltage Increase 

Assembly 

Overheats 

4 

VlnHi 

System Anomaly 

Assembly may 
Fail 

4 

iln Hi 

Hi-Leak Input Filter 
Capacitor 

Assembly 

Overheats 

4 

High Temp 

Thermal Subsystem 
Failure 

Assembly 

Overheats 

4 

l0ut^ ver i° a H 

Component Degradation, 
Load Fault i or Overload 

Output 

Overheats 

4 


4.3.2 Transformer-Coupled Converter (TCC) , Buck-Derived Dc/Dc Converter 


This type of power converter can be used for main or local (housekeep- 
ing supply) power-conversion functions. This configuration has a 
transformer to isolate input from output. The configuration can be 
that of a buck-derived converter or a Cuk Converter. 

Failure Modes - 

1) Shorted series-pass transistor. This is a major failure mode, 
because there is a transformer between the input and output, the 
input is not connected to the output. The load voltage does not go 
up; instead, it decays to zero. At the input, there will be a 
short across the source and an input fuse must open to clear the 
fault . 
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2) Control electronic. A second major failure mode is associated with 
the control electronics. One type will cause 100% duty-cycle oper- 
ation and try to drive the output into overvoltage. Whenever the 
overvoltage detector works, the TCC will be turned off. If there 
is a double failure, the control circuit fails to 100% duty cycle 
and the overvoltage fails to operate, and then loads can be de- 
stroyed. The cause of this failure is inadequate redundancy. Pos- 
sible fixes are redundant control circuits, redundant local over- 
voltage detectors, or a system-level overvoltage detector combined 
with a shunt switch. 

The TCCs, as they are known to exist today, do not have the exten- 

3 

sive self-protection and local automation features that the P 
has, but they could be added. 

Operational Impacts - A summary of the TCC failure modes and operation- 
al impact is given in Table 4.3. 2-1. An undetected and uncorrected 
output overvoltage can result in loss of mission functions. Also, a 
failure where no power is provided to the user loads can result in an 
operational impact or loss of mission functions. If there are standby 
redundancy and timely detection and correction, then the operational 
impact of the above two failures can be reduced to loss of fault-man- 
agement capability. The operational impact of converter-efficiency 
degradation can range from degradation of EPS capability to no signifi- 
cant impact. The actual impact will be strongly affected by the degree 
of converter overheating and how closely the converter shutdown limits 
are approached. 


Table Transformer-Coupled-Converter Failure Modes and Impacts 


Failure Mode 

Cause 

Effect 

Operational 

Impact 

v 0ut Hi S h 

Control Fail, Overvoltage 
Protection Failure 

Damage Loads 

2 

No Output 

Shorted Pass Transistor 
or Open Component 

No Power to 
Loads 

2 

Degraded 

Efficiency 

Filter-Capacitor Leakage 
Increase, SW Transistor 
Loss Increase 

Assembly 

Overheads 

4,5,6 
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There are failure modes where the efficiency or ripple voltage is de- 
graded. For these failure modes, the TCC will function, but will not 
result in optimum operation. The heat-rejection requirement will be 
increased owing to lower efficiency. This degraded component can be 
relegated to backup status. The longer-term impacts would be schedule, 
.maintenance, STS flights, and failure analysis to determine the reason 
for the degradation. 

4.3.3 Series-Resonant Inverter (SRI), Dc to Ac 


Failure Modes - 

1) Shorted power semiconductor. This is a major failure mode that 
results in a short across the input and a control-circuit failure 
that results in an output overvoltage. There are control failures 
that result in loss of output. A load fault does not harm the SRI, 
because inherently it is a current source and can supply shorts 
without damage. 

2) Control circuit malfunction resulting in simultaneous conduction of 
power switch. The SRI uses power semiconductors as switches in the 
full-wave rectifier bridge. An inherent failure occurs if the con- 
trol circuitry allows both power semiconductors to conduct at the 
same time. When both power switches conduct, they are across the 
power source and can be destroyed. Electronic protection circuits 
for this failure mode are required of all SRI circuits. When a 
power switch is shorted due to either a control or switch failure, 
there is a fault across the source. The fault must be cleared by a 
fuse. Should the fuse fail to clear the fault when there is a 
battery connected to the bus, there is a potential fire hazard due 
to wire overheating. If the source is only a solar array and no 
battery, then the fault currents would be limited and there would 
not be a safety hazard to wires. An external evaluation would be 
required to sense the failure, remove the SRI, and switch a backup 
online „ 
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3) Commutating diode fail shorted. There are commutating diodes 
across each power switch. If one of them were to fail shorted, the 
next time the other power switch is turned on, there would be a 
short across the source. The impact would be the same as item 2 
above . 

4) Control circuit failure causing output to be overvoltage or no out- 

put. A second major safety failure mode is a control-circuit fail- 
ure that allows the output to go overvoltage. There are two areas 
affected by this failure: first, user loads can be damaged; sec- 

ond, the SRI input capacitors can be driven overvoltage and de- 
stroyed. Further work is required to define how the input capaci- 
tors fail when they are driven overvoltage. The safing for 
shorted-input capacitors is for an input fuse to open. 

There are control circuit and wiring failures that will result in 
no output from the SRI. For these failures, external analysis is 
required to sense the failure and switch a backup unit online. 

Operational Impact - A summary of the SRI failure modes and their oper- 
ational impact on the mission phases is given in Table 4. 3. 3-1. A 
shorted power semiconductor is a safety hazard if it is not detected 
and corrected. The safety hazard occurs when the fault across the 
source is not cleared and wiring may be destroyed. An output overvolt- 
age failure is also one that can propagate from the converter to the 
wiring and user loads if it is not detected and corrected. The output 
overvoltage could cause destruction of the user loads. To assess the 
impact of these failures, an assumption about redundancy must be made. 
If sufficient redundancy is provided to eliminate single-point fail- 
ures, the impact would be partial loss or degradation of mission func- 
tions. In addition, there would be these impacts: time to assess the 

damage, delay assembly, immediate decrease in spacecraft capability, 
schedule/maintenance, and future STS flights. 


Table 4, 3,3-1 Series-Resonant-Inverter Failure Modes and Impacts 


Failure Mode 

Cause 

Effect 

Operational 

Impact 

Power SCR Short 

SCR Fail, Control 
Failure, Fuse Fail 

No Output 

2 

Power SCR Open 

Control or SCR Fail 

No Output 

2 

Commutating 
Diode Shorted 

Diode Fail, Fuse 
^ail 

No Output 

2 

Load Short 

Load Fail 

No Output Power, 
SRI Not Harmed 
by Short 

3 

v 0u t High 

Control Fail, OV 
Protection Fail 

Damage Loads 

3 

No Output 
Voltage 

Wire Open 

No Power Output 

2,3 

Degraded 

Efficiency 

Filter-Cap. ESR 
Increase 

Assembly 

Overheats 

4,5,6 

Resonant Caps. 
Fail on 
Overvoltage 

Lack of Redundancy, 
Lack of Margin 

No Output 

2,3 


If there were to be timely detection and correction for a source short 
or output overvoltage, then the impact would be lowered to loss of 
fault-management capability. The fault would be detected and cor- 
rected, and a redundant unit would be brought online. In this case, 
mission functions would not be affected. The EPS would function nor- 
mally. There would be an impact on the reserve capacity of the EPS 
owing to the fact that a redundant unit was brought online. There 
would be a future impact on schedule/maintenance and STS flight to re- 
place the failed component. Additionally, the loss of reserve capacity 
in the EPS could affect future space station operations if there were 
rules that required a certain level of reserve capacity. A SRI has a 
unique failure mode where a control-electronics failure can cause the 
input capacitors to fail on overvoltage. This failure is noted to en- 
sure that (1) a thorough analysis of the overvoltage failure mode of 

4 

X 
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the capacitors used is examined, and the package is sufficient to con- 
tain debris from a failure, and (2) there is not a catastrophic loss of 
the spacecraft. 

An SRI will have multiple piece-part failures that will cause it to 
have no output. Assuming some redundancy, the impact of this failure 
should be limited to loss of fault-management capability. A decrease 
in efficiency of the SRI would result in less-than-optimum operation. 
This could result in higher demands on the thermal subsystem. Depend- 
ing on the degree of efficiency degradation, the SRI would be accept- 
able ror use. A good configuration-management philosophy would require 
the degraded SRI be placed on standby and the backup unit used. 

4.3.4 Solar-Array Voltage Controller 

Failure Modes - There are several design configurations and concepts 
for controlling the upper limit of the solar-array bus voltage. The 
main ones are the following: 

- Multiple-Array Segment Switching 

Series-Switch/Series-Array Segments 
- Shunt-Switch/Series-Array Segments 

Series-Switch/ Parallel-Array Segments 
Shunt-Switch/Parallel-Array Segments 

- Full Analog Shunt Regulator 

- Partial Shunt Regulator 

- Hybrid Shunt Regulator 

Table 4. 3. 4-1 lists the major failure modes, effects, and operational impacts 
that are summarized below. 
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Table 4. 3. 4-1 Array -Voltage-Control Failure Modes and Impacts 





Operational 

Configuration 

failure Mode 

Effect 

Impact 

Series-Switching, 

Switch Fail Closed 

+ 

4 

Series Array 

Switch Fail Open 

a 

6 

Series-Switching , 

Switch Fail Open 

a 

4 

Parallel Array 

Switch Fail Closed 

+* 

6 

Shunt-Switching , 

Switch Fail Closed 

* 

4 

Series Array 

Switch Fail Open 

4* 

6 

S hunt-Swi tching , 

Switch Fail Closed 

* 

4 

Parallel Array 

Switch Fail Open 

+ 

6 

Full Shunt 

Shunt Fail Shorted 

No Power 

2,3,4 


Radiator Failure 

+ 

3,4 

Hybrid Partial/ 

Failure of One of n 



Full Shunt 

Digitally Controlled 
Switches 


4 


- Closed 

* 

6 


- Open 

+ 



Failure of One of n 

+ 

4 


Linear Shunt 
Regulators 



Series-Switching, 

Switch Remains in One 

+ 

4 

Series Array with 

Position 



Full Shunt 

Single Component 
Failures That Will 

Lose Control 

3,4 


Cause Oscillations 



Partial Shunt 

Shunt Fail Shorted 

Reduced Power, 
Lose Control 

4 


Piectr-Part Failure 
Causing Oscillation 

+ 

4 


* Partial Loss of Power 
+ Partial Loss of Control 



a. Multiple Array Segment Switching Failures . For the array-switching 
configurations, the major failure mode is a switch stuck in one posi- 
tion or stuck in the middle with no contact at all. The switch failure 
can be caused by an open or short in the switching element itself, or a 
control or interface failure. The cause of all these failures is in- 
sufficient redundancy in the switches and control circuits. The effect 
of the failure would be loss of a string, or loss of control of a 
string. The impact of the failure or array output power would depend 
on the number of strings present. 

b. Full Analog Shunt Failures . A full shunt can fail by shorting or 
opening. If the full shunt shorts, there is no array output voltage. 

If the full shunt fails open (shunt switches fail open, or control 
failure) the array output voltage is present, but it can not be limited 
by the full shunt. A full shunt is required to dissipate the total ar- 
ray power; therefore, it is strongly affected by the thermal-control 
subsystem. If the thermal-control subsystem is not able to accept all 
the waste heat from the full-shunt regulator, then the EPS output capa- 
bility would be reduced. 

c. Partial-Shunt Regulator . A partial-shunt regulator will be subject 
to all the failures of a full shunt except that the thermal-dissipation 
control problem will not be as severe. The partial shunt is not re- 
quired to dissipate the full-array power. Therefore, the demands on 
the thermal control subsystem are not as severe as with the full shunt. 

d. Hybrid-Shunt Regulator . The hybrid-shunt regulator will contain 
both discrete and continuous shunt switches. There can be both full 
and partial shunt switches. The array will be partitioned into differ- 
ent groups of series and parallel solar cells for control. The strings 
can either have equal or unequal power. One method is to use binary 
weighting of the power. 

A generic hybrid system could have binary-weighted parallel strings 
with discrete, partial-shunt switches on all but the smallest string. 
The smallest string could have a continuous shunt. 
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The generic hybrid system is not required to dissipate the entire array 
power. Because this system contains a number of binary-weighted, dis- 
crete, partial-shunt switches, the loss of any one switch will result 
in either a loss of control for an open switch, or loss of power from a 
parallel branch for a shorted switch. The continuous shunt switch is 
used for a fine control. Because it generally will have the smallest 
power-handling capability, loss of the continuous switch will result 
only in loss of fine-control capability, and not in loss of the array. 

Operational Impacts - Failures in the photovoltaic-array switching will 
not affect launch because these components are not operational during 
launch. These components generally will not have an initial onorbit 
assembly function. The impact of a failure during onorbit assembly 
could cause an assembly delay, schedule and maintenance impact, and an 
impact on future STS flights. If no single-point failures are assumed, 
one failure in an array voltage control unit would result in the loss 
of only a fraction of the total array. Therefore, space station opera- 
tions could be affected by less-than-expected solar-array power. The 
impact of the failure during an orbit assembly could be described as 
partial loss or degradation of mission functions until the faulty unit 
is replaced. 

Failures in the switched controllers will result in loss of a fraction 
of the array power or some loss of control. The impact will be a loss 
of EPS capability. This should not result in a loss of mission func- 
tion. A decision will be required as to when to replace and repair. 

A real full-shunt regulator would be modular and redundant. A single- 
point failure causing loss of all array power or ability to limit the 
array voltage would not be allowed to happen by designing in redund- 
ancy. If a second failure causes a full-shunt switch to fail shorted, 
then the array voltage could be held at some low value until the fault 
were corrected. In a modular redundant system, an open failure would 
result in some loss of capability to limit the array voltage under 
light-load conditions. These failures would probably not affect opera- 
tions during sunlight or eclipse. A loss of voltage-limit capability 
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can occur during an eclipse-to-sun transition under light-load condi- 
tions. The array would be cold coming from eclipse, and its voltage 
would go to maximum at the eclipse-to-sun transition. Inability to 
limit the maximum voltage of a cold array could possibly cause damage 
to loads or require the array to be unloaded until it warmed in the sun 
and its open-circuit voltage decreased. It is expected that passive 
radiators would be used to get rid of heat from the full shunt. Atti- 
tude constraints or abnormal vehicle-orientation modes could restrict 
the ability to dissipate waste heat and could affect the EPS. The net 
impact of these failures would be classified as loss of EPS capability. 

A flight- type hybrid photovoltaic-array voltage controller is also ex- 
pected to be modular and redundant. A hybrid controller would have a 
graceful failure mode, where each failure would result in a specified 
loss of control capability or power from the array. If the array par- 
allel strings were binary weighted, loss of the largest branch could be 
one half of the array. If n equal branches were used, then loss of one 
would result in only loss ot 1/n of the total array. The impact of 
hybrid controller failures on orbital operations is classified as loss 
of EPS capability. 

4.3.5 housekeeping Power Supplies 

Failure Modes - Housekeeping supplies are usually contained within an 
EPS component such as an array-control unit or within a power convert- 
er. The purpose of these supplies is to provide multiple regulated 
voltages to a specific black box. They can be either linear, dissipa- 
tive devices for onboard regulation, or switched-mode topologies. 

These supplies are subject to all the failure modes of switched-mode 
converters and linear-dissipative regulators. These supplies are sub- 
ject to over/undervoltage, oscillations, out-of-specification ripple, 
and frequency failures in clock-drive circuitry. The basic causes of 
these failures are usually attributed to insufficient redundancy, lack 
of worst-case design, and insufficient test. 
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Operational Impact - The effect of failure of a housekeeping supply 
will be the loss or degradation of an EPS black box that it is power- 
ing. The ultimate impact of the housekeeping-supply failure will thus 
be determined by the impact of losing the EPS black box. The impact of 
the failure of a specific housekeeping supply will be limited to loss 
of EPS capability, or loss of fault-management capability. 

4.4 POWER-DISTRIBUTION DEVICE FAILURE MODES AND OPERATIONAL IMPACT 

4.4,1 Magnetic Latching Relays 


Failure Modes - A summary of the generic failure modes of a magnetic 
latching relay is shown in Table 4. 4. 1-1. The failures on a relay must 
be considered along with failures of the relay drivers and loads. 


Table 4.4. 1-1 Magnetic Latching Relay Failure Modes 


Failure Mode 

Cause 

Fail to Transfer 

- Relay Coil Open 

- Interface Failure 

- Control Electronics Failure 

Relay Oscillates 

- Control Failure That Powers Set and Reset 
Coil at the Same Time 

Relay Driver Fails 

- Voltage Suppression Diode across Coil Opens, 
Driver Fails on Inductive Overvoltage the 
Next Time It Interrupts Coil Current 

Contacts Burnt Open 
or Welded Shut 

- Excessive Fault Current, Voltage Suppression 
Diode across Inductive Load Opens, then Re- 
lay Tries to Interrupt Inductive Current, 
Contact Failure due to Inductive Voltage 
Transient 

Spurious Transfer 

- Command Failure 

- Control Electronics Failure 



A major magnetic-latching relay-failure mode is failure to transfer on 
command. This can be due to internal relay failure (open coil, mechan- 
ical contact failure, welded contacts), interface failure, or driver- 
electronics failure. Another failure mode is relay oscillation. This 
can be caused by a control failure that commands the set and reset 
coils at the same time. A magnetic latching relay has both set and 
reset coils. These coils require parallel diodes to prevent an induc- 
tive voltage rise when the current is interrupted. Should a diode 
open, it would not be detectable until the driver tried to turn off the 
coil current. At this time, the driver would fail owing to the induc- 
tive voltage transient. This is an example of a propagating failure. 
Contacts can be burnt open or welded shut by fault currents or by in- 
terrupting an unprotected inductive current. Spurious transfer of a 
relay can be caused by a command- or control-electronics failure. Re- 
lay position can be determined directly by inference. A failure in the 
direct position indicator (sense voltage across a spare set of con- 
tacts) can cause a good relay to be indicating bad. This failure could 
then require the use of inference (conclusion based on indirect sens- 
ing) to resolve an anomalous situation. 

Operational Impact - Relays have recognized failure modes. It is ex- 
pected that a space-station-wide criticality classification of loads 
and redundancy requirements for relays will be made. For this reason, 
the impact of the failure of a relay in a specified redundancy configu- 
ration are discussed below. 

System-level analysis normally classifies loads and establishes redun- 
dancy requirements for each load class. Possible relay redundancy re- 
quirements are as follows: 

1) Failure of a single relay will not result in more than TBD signal 
or power-connection failure. Example — a single relay; 

2) Failure of a single relay will not prevent connecting a load. Ex- 
ample — two parallel relays; 
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3) Failure of a single relay will not prevent disconnecting a load. 
Example — two series relays j 

4) Failure of a single relay will not prevent normal operation of a 
load. Example — four relays, two in parallel in series with two in 
parallel. 


Table 4.4. 1-2 lists the operational impact of a single relay failure in 
each of the above relay-redundancy configurations. For a single relay, 
a failure can result in not being able to connect or disconnect a 
load. For two series relays, a fail-closed mode has no effect; the 
load can be removed and an open failure always causes load removal. 

For parallel relays, an open failure has no effect other than loss of 
redundancy. A closed failure means the load is always connected. For 
four relays in series and parallel, a single relay has no operational 
effect. Its impact is loss of redundant backup. 


Table 4.4. 1-2 Relay Failure Impact by Redundancy Configuration 


Relay 

Redundancy 

Configuration 

Failure 

Mode 

Effect 

Impact 

Single Relay 

Fail Open 
Fail Closed 

Does not connect load. 
Does not remove load. 

3-4 

3-4 

Two Relays 
in Series 

One Fail Open 

Does not connect load. 
An open failure always 
causes load removal. 

3-4 


One Fail 
Closed 

None. 

5 

Two Relays in 
Parallel 

One Fail Open 

None . 

b 

. 

One Fail 
Closed 

Does not remove load. 

3-4 

Four Relays, 

Two Parallel 
in Series with 
Two in Parallel 

One Relay 
Always Closed 
or Open 

None, normal 
operation. 

5 
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4.4.2 Motor-Driven Switches 


Failure Modes - The generic failure modes of a motor-driven switch are 
as follows: 

1) Fail to transfer on command (motor failure, control-electronics 
failure); 

2) Spurious transfer (command or driver-electronics failure); 

3) Mechanical damage to unit if both engage/disengage coils are acti- 
vated simultaneously (control-electronics failure). 

A motor-driven switch is an electromechanical device with motors, 
gears, and limit switches. Failures associated with a motor are open, 
shorted, or partial shorts of the coils. These can result in failure 
or degraded operations. Gear trains are subject to tooth wear-out, 
particle generation, and bearing failure that can result in the device 
failing to transfer. Limit-switch action is essential to turn off 
power to the drive coils after the unit has engaged or disengaged. 
Limit-switch failure can result in the motor driving too far and me- 
chanical failure of the gear train. The electrical contacts are sub- 
ject to being burnt open or welded shut by fault currents or interrup- 
tion of unprotected inductive currents. 

Operational Impact - A motor-driven switch performs the same functions 
as a relay, except the loads it switches are generally much longer than 
relay loads. The remarks for impacts of magnetic-latching-relay fail- 
ure are applicable to motor-driven switches. 

A major use of motor-driven switches is to connect and disconnect 
high-current sources (e.g., ground supply and batteries) from buses. 

For this type of application, failure of a motor-driven switch to en- 
gage would be the same as the loss of a battery. Once a battery is 
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connected to a bus, the motor-driven switch would not normally be oper- 
ated. A failure could occur that would prevent the switch from disen- 
gaging, but it would not normally be detectable until a disengage com- 
mand is given. 

A scenario for assessing the impact of a motor-driven switch failing to 
disengage and remove a battery from a bus during orbital operations is 
as follows. Suppose that it were required that a battery should be 
removed from a bus, either for maintenance on the battery or on the 
load side of the bus. When the switch fails to disengage, the battery 
is not removed from the bus. With 27U-Vdc batteries, a safety hazard 
would exist when performing maintenance on the load side of the bus. 
Depending on the space station safety requirements, maintenance could 
be prohibited with this failure. The battery would be composed of a 
large number of cell modules. Battery maintenance would consist of 
replacing these modules. It is expected that safety requirements would 
require that the battery be floating so one side of a module could be 
grounded. When the motor-driven switch fails to open, the battery can 
not be isolated from ground. A safety hazard would exist for the re- 
moval of modules and the battery. Space station safety requirements 
could prohibit maintenance in certain cases. 

The impact of a motor-driven switch failing to open and remove a bat- 
tery from a bus and ground during orbital operations could create a 
safety hazard for maintenance. Safety requirements would probably re- 
quire that there be a manual means of isolating the battery from the 
bus and return before maintenance is allowed to proceed. 

During maintenance operations when a motor-driven switch is required to 
be disengaged, the impact of spurious engaging could create a safety 
hazard. The impact of a computer command connecting a battery to a bus 
while maintenance is in progress is such a serious hazard that design 
rules may require a manual disconnect of motor-driven-switch power dur- 
ing maintenance. 
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4.4.3 Remote Power Controllers 


Failure Modes - A remote power controller (RPC) is a solid-state switch 
that performs all the functions of a magnetic latching relay plus the 
additional functions of circuit breaker, fault current limiter, cur- 
rent-rise-time limiter, and current-fall-time limiter. An RPC is con- 
trolled by a logic-level signal. An RPC has all the generic failure 
modes of a magnetic latching relay plus several additional failure 
modes unique to an RPC. RPCs can be used in redundant configurations 
in the manner of magnetic latching relays. A summary of the RPC-unique 
failure modes and operational impacts are shown in Table 4. 4. 3-1. 


Table <1.4. 3-1 RPC-Unique Failure Modes and Impact 


Description 

Failure 

Node 

Effect 

RPC is hi-gain feed 
feedback circuit. 

Piece-part failure in 
stabilization loop. 

Output of RPC 
oscillates. Load may 
not operate. Possible 
overdissipation in RPC. 

Redundant series- 
pass transistors, 
individually fused 
emitters. 

Pass transistors short, 
emitter fuses open. 

No mea suable impact. 
Nondetectable loss of 
redundancy. Graceful 
failure mode. 

Limit rate of cur- 
rent rise (di/dt). 

Piece-part failure, no 

rate-of-current-rise 

limit. 

Bus transient 
undervoltage. 
EMI. 

Limit rate of cur- 
rent fall (-di/dt). 

Piece-part failure, no 

rate-of-current-fall 

limit. 

. 

Transient voltage rise 
due to inductance. EMI. 
Opening Of a Voltage 
Suppression Diode On An 
Inductive Load Could 
Result in Voltage Rise 
Sufficient to Destroy 
RPC. 

Limit fault cur- 
rent for approxi- 
mately 3 s. Built- 
in thermal mass 
to absorb heat. 

Piece-part fail, timer 
does not turn off cur- 
rent . All pass tran- 
sistors short, all 
internal fuses open. 

Fault current is 
cleared, but RPC is 
destroyed. 

RPC is mounted on 
a cold plate to 
control steady 
temperature. 

Thermal subsystem 
Failure or degradation. 
Rise in cold-plate 
temperature. 

Rise in cold-plate 
temperature can impose 
limits on dissipation 
in RPC. 
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A remote power controller has a high-gain, electronic-feedback circuit 
meant to control multiple parallel power transistors. A description of 
the unique failure modes of an RPC is shown in Table 4. 4. 3-1. Because 
many of the RPC functions depend on analog circuitry, piece-part fail- 
ures in the analog circuitry can cause RPC functional failures. The 
causes of the piece-part failures are insufficient worst-case design 
and analysis, process failure, or lack of redundancy. 

An RPC will normally be mounted on a cooling plate to maintain desir- 
able operating temperature. A failure in the thermal-control, subsystem 
can affect the EPS by not controlling the plate temperature. An in- 
crease in the plate temperature could restrict the dissipation in the 
RPC. 

Operational Impacts - RPC application is similar to magnetic latching 
(mag- latch) relays. Their redundancy requirements and impact of a re- 
lay failure in a redundant configuration is the same as mag-latch 
relays. 

An RPC has more functions than a mag-latch relay. In addition to hav- 
ing a relay function, it is also used as a circuit breaker, fault cur- 
rent-limiter, and limiter for rate of current rise and fall. The im- 
pact of these unique RPC failure modes is shown in Table 4. 4. 3-1. 

There is an undetectable degradation in an RPC. This occurs when one 
of the parallel series-pass transistors fails and its emitter fuse 
opens. The RPC can function normally, but some margin would be lost. 
The operational impact of this failure ranges from a loss of fault-man- 
agement capability to no significant impact . The operational impact of 
other faults owing to piece-part failures will be in the loss-of-EPS- 
capability category. RPC degradation owing to failure of the thermal- 
control subsystem to maintain the cold-plate temperature for the RPC 
will range from loss of EPS capability to no significant impact. 
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4.4.4 Fuses 


Failure Modes - A fuse has three major failure modes. First, it may 
fail to open at its specified rating. Second, a fuse may fail by open- 
ing at a current less than its specified rating. Third, a fuse may 
open owing to mechanical failure. 

A limit of a fuse is its fault-clearing capability. If a fuse is used 
in an application where the fault current exceeds the fuse-clearing 
rating, then the fuse may not clear the fault. Also, fuses have maxi- 
mum voltages for which they can be used in clearing. If a fuse is used 
at a higher than design voltage, it may not clear a fault. 

Operational Impact - If no redundancy is provided (i.e,, one fuse), the 
impact of a premature fuse opening is loss of the user load. The im- 
pact will be a partial loss of mission function. This would be an ac- 
ceptable condition because the decision would have been made to toler- 
ate loss of that load because it was classified low priority and was 
purposefully not provided with fuse redundancy. Failure of a single 
fuse to open at its rated current could result in a possible bus under- 
voltage. The operational impact could be a degradation of EPS function 
and affected user loads. 

For series-redundant fuses, the effect of one fuse opening at less than 
its rating is to lose a user load. The impact can range from degrada- 
tion of mission function to loss of EPS function. There is no signifi- 
cant impact from one series-redundant fuse not opening at its rating 
because it is assumed the other fuse will open. 

For parallel-redundant fuses, there is no significant impact from one 
opening prematurely. It is assumed the other fuse will carry the load 
current. If one of the parallel redundant fuses fails to open at its 
rating, more current would be required from the source to clear the 
fuse. If the source were limited, the fuse might not be cleared, and 
an overload or ‘undervoltage condition could result. 
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Table 4. 4. 4-1 summarizes the failure modes and impacts for several re- 
dundancy configurations: 

1) One fuse, no redundancy; 

2) Two fuses, series redundancy; 

3) Two fuses, parallel redundancy. 


Table 4. 4. 4-1 Fuse Failure Modes and Operational Impacts 


Redundancy 

Configuration 

Failure 

Mode 



Effect 

Operational 

Impact 

One Fuse, No 
Redundancy 

Premature Open 

A user load 
removed . 

3,4 


Fail to Open At 
Rating 

Fault or over- 
load not cleared. 
Possible bus 
undervoltage. 


Two Fuses in 
Series 

One Premature 
Open 

Lose a user 
load. 

3, 4 


One Fail to Open 
at Rating 

None. 

3, 6 

Two Fuses 
in Parallel 

One Premature 
Open 

None. 

5, 6 


One Fail to Open 
at Rating 

Higher current re- 
quired from source 
to clear both 
fuses. If source 
limited, fuses 
might not clear. 

3, 4 


4.4.5 Circuit Breakers 

Failure Modes - Circuit breakers serve the same basic function as a 
fuse, but they are capable of resetting, either by manual or electrical 
means. Therefore, circuit breakers have all the failure modes of fuses 
plus additional failure modes unique to circuit breakers. 
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If a circuit breaker has a manual switching capability, then it is sus- 
ceptible to a man's incorrect operation. If the circuit breaker has an 
electrical operation, then it can be affected by command errors, driv- 
er-electronics failures, and interface failures. Electromechanical 
circuit breakers have limits on the fault currents they clear. Grossly 
exceeding these limits can result in explosive destruction of the cir- 
cuit breaker. Information desired about the operational state of cir- 
cuit breakers is "open" or "closed." The state can be sensed directly 
by using an extra set of contacts as in mag-latch relays. The direct- 
sensing state indicator is subject to failures. These failures can 
give a false indication of the circuit-breaker state. 

Operational Impact - Circuit breakers are generally used with fuses and 
controlled switches such as mag-latch relays or RPCs. The circuit 
breaker is usually an enabling function. The relay is generally used 
for repetitive switching. The impact of a circuit-breaker failure is 
thus similar to that of a fuse. 

The failure of a circuit breaker to open could have a safety impact on 
maintenance similar to the failure of a motor-driven switch to open 
(see motor-driven switch failure impacts). 

4.4.6 Cabling 

Failure Modes - The generic failure mode of cabling and connectors is 
conductors or connections opening and insulation failing, with a re- 
sulting wire-to-wire or wire-to-structure short. Operational environ- 
ments that cause mechanical damage are not included here. The princi- 
pal operational environment that can cause degradation of insulation is 
temperature. Overvoltage can cause failure. Overtemperature would not 
cause an immediate insulation failure, but it could decrease the useful 
life of the insulation and require abnormally early maintenance or 
replacement . 


For a 250-kW-class space station, power cables may require heat sinking 
to structure, or active cooling. For such a configuration, failures or 
degradation of the thermal-control subsystem could affect the EPS 
through power cabling. 

A space station will experience modular buildup over a number of 
years. During this expansion, there is the potential for the change in 
cable locations that could affect thermal properties of the cable. 

Also, attitude-control modes such as gravity gradient have the poten- 
tial for exposing cables to sunlight or darkness, both of which could 
affect cable thermal and insulation properties. 

Operational Impacts - A summary of cable failures and other activities 
and their operational impacts is given in Table 4. 4. 6-1. Under the 
space station design requirement to eliminate single-point failures, 
the severest impact from a cable failure would be a partial loss of EPS 
capability or mission function. Insulation shorts from wire to wire, 
or intermittent insulation failures, can cause anomalous operation that 
could require partial shutdown for troubleshooting. Intermittent 
shorts in cables have the potential for extensive and time-consuming 
effort to discover, isolate, and correct. 

Insulation can be degraded by over temperature. Monitoring could pre- 
vent this failure mode. The immediate operational impact of insulation 
degradation is probably not significant. As the degradation progresses 
to the point where cable failure occurs, the operational impact will be 
loss of fault-management capability (it is assumed there is sufficient 
cable redundancy that a failure can be tolerated) . 
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Table 4. 4. 6-1 Cabling Failures /Activities and Impacts 


Failure or Activity 

Effect 

Cause 

Operational 

Impact 

Cable opens. 

Lose loads. 

Insufficient 

redundancy. 

3, 4 

Insulation shorts, 
wire-to-return. 

Fault currents 
present, fuse or 
RPC must open to 
clear. 

Insulation 

fault. 

3, 4 

Insulation shorts, 
wire- to wire. 

Anomaly, a load 
energized spuri- 
ously, arcing. 

Insulation 
fault . 

3, 4 

Insulation degrada- 
tion due to overtemp. 

None. 

Lack of 
monitoring. 

5, 6 

Thermal subsystem 
failure. 

Increase cable 
temperature, 
decrease allowable 
power thru a cable. 

Failure in 

another 

subsystem. 

4,6 

Modular buildup, 
or attitude-control 
mode. 

Cable moved or 
thermal charac- 
teristics altered. 

Activity of 
modular 
buildup or 
attitude 
control. 

4, 6 


4.5 SENSORS AND SIGNAL CONDITIONING FAILURE MODES AND OPERATIONAL IMPACT 

Failure Modes - The primary sensors for the EPS are to monitor the fun- 
damental or dc component of the following parameters: 


1) Dc voltage and current; 

2) Ac voltage, current, and frequency; 

3) Temperature; 

4) Pressure; 

5) Solar irradiance. 
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All sensors have catastrophic-failure modes where they fail saturated 
or open. Each of the sensors has an error band. A sensor can degrade 
when its error exceeds its specified error band. 

Sensors in ground-based applications require periodic calibration. If 
a periodic calibration requirement is imposed on sensors for the space 
station, then a sensor is good as long as its calibration date is val- 
id. Once a sensor has exceeded its calibration date, then it may be 
considered bad and perhaps not useable for a manned application. Thus, 
there exists the possibility of sensors affecting the space station 
operation simply because of the exceeding of calibration dates or un- 
certainties about their accuracy. 

Some sensors have well-known and predictable drifts due to tempera- 
ture. This would constitute an accuracy degradation that could be re- 
moved by real-time adjustment if correction factors can be accurately 
determined. 

Signal-conditioning circuits will use electronic piece-parts to convert 
the raw analog measurement into a single-ended dc voltage of a given 
range such as 0 to +5V, suitable as the input to an analog-to-digital 
converter. The signal-conditioning circuits are subject to catastroph- 
ic failure, drift, and accuracy degradation. Generally, the signal- 
conditioning circuit will be inseparable from the sensor for calibra- 
tion and failure analysis. 

Sampling circuitry involves multiplexers and analog-to-digital conver- 
sion. This signal conversion can fail catastrophically or can de- 
grade. Signal-conversion circuitry is quite susceptible to grounding 
problems that could inject noise into an analog-digital converter. 

Sampling implies bandwidth limits on the signal being sampled to ensure 
that Shannon's Sampling Theorem is satisfied. This means there may be 
an antialiasing filter in front of the sampler. An antialiasing filter 
may be either passive or active. Thus, the EPS can be affected by 
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failures in an antialiasing filter in the sampling section of the data 
system. If an antialiasing filter fails by not restricting the band- 
width of the sampled signal, anomalies in the sampled data can result 
by frequencies greater than one half the sampling frequency being pres- 
ent in the input. 

The impact of transducer failure will depend on whether the transducer 
is active, if its output is being monitored, and what weight is given 
to its output. If a transducer is active and its output available, 
then its failure would be loss of information about the EPS. The 
failed transducer could present an anomaly. 

A summary of transducer failures and the resulting operational impact 
are given in Table 4.5-1. There should be sufficient sensor redundancy 
built into the space station so that the failure of a single sensor 
will have no significant impact. System-level trade studies will be 
required to identify how many sensor failures are permissible before 
EPS or mission functions are lost or degraded, When the vehicle is 
operated with failed sensors, it has a reduced fault-management capa- 
bility. Requirements for fault management may require maintenance 
after a failure of particular sensor. 

Degradation of a sensor by drifting outside of its error band can cause 
a lack of confidence in the measurements. The lack of confidence could 
cause overly conservative operating safety margins. 

A sensor failing by exceeding its calibration due date is an example of 
a planning failure. The impact on orbital operations will depend on 
the quality control and safety requirements for the space station. If 
the philosophy is that an out-of-calibration sensor can not be used, 
then EPS capability can be lost or degraded. If- all sensors were to go 
out of calibration on the same date, there could well be a requirement 
to curtail operations and make sensor calibration the highest-priority 
item. 
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Table 4.5-1 

Sensor and Signal Conditioning Failure Modes and Operational Impacts 


Failure Mode 

Cause 

Effect 

Operational 

Impact 

One Transducer 
Open 

Lack of Testing; 
Inadequate Worst-Case 
Analysis; Lack of 
Process Control 

None, If 
Redundant 

5 

One Transducer 
Out of Spec, 
Drift 

Inadequate Operating 
Process Control; Piece- 
Part Quality Not 
Adequate 

Decreased 

Information 

4 

Sensor Calibra- 
tion Time 
Exceeded 

Inadequate Planning 

None for 
Short Times 

6 

ADC* Intermit- 
tent, Noisy, 
Ground ; 
Antialiasing 
Filter Failure 

Packaging, Manufacturing 
Test; or Installation 

Decreased 

Information, 

Error 

4 

L_ - - - 


*ADC Analog- to-Digital Computer 


4.6 POWER-TRANSFER-DEVICE FAILURE MODES AND OPERATIONAL IMPACT 


Failure Modes - The components classified as power-transfer devices are 
slip rings, roll rings, twist flex, and rotary transformer (power elec- 
tronics based on a series-resonant circuit). The major failure a 
"twist flex" of a slip ring, a roll ring, or a "twist flex" is an 
open-circuit condition that results in loss or reduction of array power. 

The twist flex has a limited angular rotation. Vehicle operations 
could potentially affect the twist flex by commanding it beyond its 
allowable angular rotation. Assuming normal limit switches and safety 
interlocks, the impact of this operations failure would he to stop the 
orientation drive. This would result in degraded output from the solar 
panel . 
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The rotary transformer includes a series-resonant inverter with control 
and protection electronics along with the rotary transformer. This 
device will have all of the failure modes associated with a series-res- 
onant inverter discussed in section 4.3.3. Failures associated with 
the transformer itself include open and shorted windings. 

Operational Impact - A summary of the power-transfer-across-rotary- 
jolnt failure modes and operational impact of the failure modes is giv- 
en in Table 4.6-1. 


Table 4.6-1 ' 

Components far Power-Transfer-Aoross- Rotary- Joints Failure Modes and 
Operational Impacts 


Failure Mode 

Cause 

Effect 

Slip Ring 
- Noise 

Particle-Generation 
Brush-Plug Wear 

Degraded Power 

Slip Ring 
- Short 

Insulation Failure 

Loss of All Power 
thru Slip Ring 

Roll Ring 
- Open 

Mechanical Failure 

Loss of All Power 
thru Roll Ring 

Twist Flex 
- Open 

Mechanical Failure 
of Flex Wire 

Degradation of Full 
Loss of Power thru 
Twist Flex 

Rotary 
Transformer 
- Open 

Electronics Failure 
in Series-Resonant 
Inverter 

Loss of Power from 
an Array Section 



There are no failure modes that would result in a catastrophic loss of 

, ii 

the spacecraft under the assumption there would be sufficient redun- ij 

dancy to tolerate the loss of power across a rotary joint. The opera- 

; U 

tional impact of noise generated in a slip ring will probably result in S 

a degraded EPS capability. There is also the possibility of electro- J 

n 

Jj 

magnetic interference with payloads. The complete failure of a compo- j/ 

■ • * ■ 

nent to transfer power will result in loss of all power from a solar- 


| 

f 

| 
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array section if there is no redundancy in the rotary- joint's power- 
transfer components. If there is no redundancy, the operational impact 
will range from degradation of mission functions to loss or degradation 
of IPS function. Assuming power transfer component redundancy is pro- 
vided, the impact of the loss of power transfer component would be loss 
of fault-management capability. 


4.7 AUXILIARY POWER SOURCES FAILURE MODES AND OPERATIONAL IMPACT 
4.7.1 Lithium Thionyl Chloride (LiSOClJ Battery 


Failure Modes — A summary of the failure modes is given in Table 
4. 7.1-1. This primary battery has no function during long-term, normal 
operations. Its intended use is that of an auxiliary, or emergency, 
power source. A significant shortcoming of this type of battery design 
is lack of state-of-health monitoring during the normal-operations per- 
iod when it is not used. Should a failure occur during a long standby 
period, then the battery could fail or be degraded when it is activated 
to supply power. This condition can not be tolerated if the required 
power is for emergency purposes. 


Table 4. 7. 1-1 Failure Modes of Lithium Thionyl- Ohio ride Battery Cells 


Failure 

Causes 

Effect 

Low end of 
discharge voltage 
and/or loss of 
capacity. 

Cell operation at 
low temperature. 

Abnormally early bus voltage 
drop, possible bus undervolt- 
age following. 

Low beginning 
of discharge 
voltage. 

Long dormancy, gen- 
erally at an above- 
normal temperature; 
cold temperature. 

Possible transient bus voltage 
drop or power delay at the 
beginning of a discharge 
period. 

Cell shorted. 

Electrode or 
terminal bridging. 

Possible bus undervoltage and 
loss of power. 

Cell open. 

Terminal-electrode 
break . 

Possible bus voltage drop and 
loss of of an entire string 
of cells. 







4.7.2 Chemical Turbomachinery 

Failure Modes - Chemical turbomachinery or, more commonly, auxiliary 
power units (APU), can have failures associated with leaks in the reac- 
tant reservoirs, clogged tubes preventing reactant flow, pump failures, 
turbine mechanical failures (blades, bearings) and all the known fail- 
ure modes of an electrical generator. A significant degradation of the 
energy capacity of chemical turbomachinery can occur by leaks of the 
reactants during periods of disuse. 

Operational Impact - A summary of the generic failures of an auxiliary 
power unit and the operational impact are given in Table 4. 7.2-1. If 
the state of health of an APU is not monitored during normal operations 
and it fails, there is no impact as long as it is not needed. If a 
situation arises where the APU is needed but has already failed, the 
next level of APU backups will have to be activated. 


Table 4. 7. 2-1 Auxiliary "Power Unit Failure Modes and Impact 


Failure 

Mode 

Effect 

Impact Orbital 
Assembly 

Operational 

Impact 

Normal operation, 
failure not 
detected. 

None 

None, if no addi- 
tional failure. 
Safety hazard if 
required. 

5 

Normal operation, 
failure detected. 

None 

None, if no addi- 
tional failure. 
Schedule work 
arounu when 
failure known. 

5 

Auxiliary power 
active, then 
fail. 

Switch over 
to backup. 

Schedule main- 
tenance Impact. 

5 

Emergency shut- 
down system, 
false emergency. 

Deplete 

battery 

capacity. 

Operations. Sched- 
ule. Future STS 
Flights. 

5 











A most serious impact appears to be an undetected failure during normal 
operations. The impact is that fault-management capability has unknow- 
ingly been lost. Operating safety margins are not what they seem. If 
an APU failure is detected during normal operation, APU not needed, 
then operations could be changed to minimize the impact of the loss of 
the APU and timely maintenance repair, or replacement could be sched- 
uled to restore the fault management capability. 

If an APU is active and fails, and a backup of APU is activated, the 
operational impact o£ the failure is a loss of fault-management 
capability. 

If limits in the emergency-shutdown system are too tight, or an invalid 
emergency is declared and the APU is activated, the reactants can be 
consumed. A rapid string of false emergencies and activation of the 
APU can result in APU-reactant depletion. The impact of failures in 
the emergency-shutdown system (false emergencies) is loss of EPS fault- 
management capability, future STS flight impact, and maintenance time 
for APU replacement. There can also be an operational impact by con- 
straints owing to depleted APU backup capability. 

4.8 OTHER ACTIVITIES AND FACTORS AFFECTING EPS PERFORMANCE 

Table 4.8-1 is a list of basic space station operational 
characteristics and impacts on the EPS design, performance, and 
operation. A summary of other subsystem faults and activities that 
affect the EPS is given in Table 4.8-2. A brief discussion of major 
activities is given in the following paragraphs. 

A key conclusion that can be made is that EPS automation is mandatory, 
in meeting the initial space station’s basic requirements. 


Table 4.8-1 

Basic Space Station Operational Characteristics and EPS Design 
Implications 


Activities/ 

Unknowns 

Implications in Power Subsystem Design, 
Performance , and Operation 

Long-Duration 

Manned 

Facilities 

- Assure Crew Safety and Reduce Ground Support 
Requirements 

- Incorporate Flexible Fault Detection and Correction 
Capabilities 

- Replace Battery Modules and Array Sections 
Periodically 

- Accurately Keep Maintenance Logs and State of Health 
of Identifiable Elements or Sections 

- Accommodate Old- and New-Technology Components 

Build and 
Repair in 
Space 

- Facilitate/Simplify Capability to Add Key Components 

- Be Able to Determine Sate of Health Quickly and 
Accurately, and Predict Failure (e.g., Based on 
Trend Date) 

- Provide a "Turn-Key" Operation Similar to Large 
Terrestrial Photovoltaic Power Systems as Solar- 
Array Sections and Batteries Are Installed 

Incremental 
Growth in 
Power 

- Flexibility in Power-Hardware Designs and Additions 
in Orbit 

- Be Able to Quickly and Accurately Verify Performance 
after Assembly and Update Power-Capability 
Information 

- Be Able to Reconfigure Easily and Operate in Recon- 
figured Arrangement 

Economical 

Payload 

Support 

- Reduce Power Subsystem Maintenance, 

Monitoring, and Other Housekeeping Roles by Flight 
and Ground Crew to a Minimum 

- Accommodate Unproven (on Long Life) or New-Technol- 
ogy Hardware to Reduce Development Cost 

- Overcome Technology Limitations (e.g., Lack of 
Long-Duration Battery Life Testing and Uncertainties | 
in Life of High-Voltage Batteries) 

- In Situ Learning of Capabilities and Limitations, 
e.g.. Large Number of High-Voltage Batteries Operat- 
ing in Parallel, in Lieu of Extensive Ground Testing 

Verify 
Performance 
of Large Com- 
ponents along 
with Multiple 
Components 
Operating in 
Parallel 

- Need to Develop Technology for Onorbit Checkout 
Techniques and Analytical Tools for Performance 
Determination 

- Resort to Analytical Approach in Predicting or 
Calibrating Performance 

- Solar Array Strings and Battery Strings May Have to 
Operate with Mismatched and New or Old Elements. 
This poses a Special Problem in Performance Optimi- 
zation and Prediction 
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Table 4.8-2 

Other Subsystem Faults and Activities That Can Affect EPS Performance 


Subsystem 


Failure/Activity 


Effect 


Operational 


S 

Structures 

Modular Buildup 

Reduced Power 

Thermal 

Control 

Impaired Capacity to 
Dissipate EPS Waste 
Heat 

Reduced Power 

User Loads 
(All Subsystems 
and Payloads) 

Shorts or Overloads 

Bus Undervoltage 


Large Differences in 
Day and Night Power 
at Buses 

May Reduce Bus 
Power Capability; 
Excessive Battery 
DOD 

Attitude 

Control 

Gravity Gradient 
Attitude Mode with 
No Solar Array Artic- 
ulation; Failure to 
Maintain Required 
Stable Attitude 
Because of Unknowns 
in Controlling Large, 
Flexible Structures 

Reduced Power 
Reduced Power 

Command 

Degraded TM Data 
Transmission 

Reduced Informa- 
tion to Ground 


Loss of CPU Power 

Reduced Autonomy 
and Automation 

Data 

Software Maintenance 

Reduced Power 
Capability 

EPC/Crew 

Interface 

Crew Commands, Dis- 
plays, New Crew, 
Interface Ambiguity, 
Mistakes 

Reduced Power 
Capability; 
Unintended 
Shutdown 

EPS /Ground 
Operations 
Interface 

Power-Management Con- 
figuration History; 
Audit Trail or Auto- 
mated Activities; 
Training; Commands/ 
Displays 

Reduced Power 
Capability; 
Inefficient 
Mission Planning 
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4.8.1 Flexible-Structures and Control-Subsystem Activities 


A space station will contain a large, flexible structure. Knowledge of 
the low-frequency dynamics of large, flexible structures will be criti- 
cal to the design and performance (stability envelope) of the control 
system. There is a probability that some in-si tu characterization of 
the structure dynamics will be required. A significant mass in a space 
station will be in the solar panels. Hence, possible impacts on the 
EPS from flexible structures and the control system are low-frequency 
mechanical oscillations, solar-array pointing-accuracy degradation, and 
constraints on solar-panel slew rates. 

4.6.2 Data Management Subsystem (1)MS) Activities 

Assuming that the EPS incorporates a reasonable amount of automation, 
it is expected that the EPS will not be highly dependent on the space- 
station DMS. Loss of channels or degradation of data rates in the DMS 
can result in loss of information about the EPS for ground use. If, 
for some reason, sampling times become larger than normal, information 
about the state of the EPS decreases. Preprocessing of critical EPS 
performance data by the EPS computer would significantly minimize the 
impact of DMS failures of this type. 

Loss of space-station CPU capacity could result in some high-level EPS 
automation software being bumped out by higher-priority flight soft- 
ware. This could mean the PES high-level automation software would 
have to be run either in the STS or on the ground, or it would be can- 
celled and the functions performed by the ground. 

The extent to which the EPS is automated, especially in handling and 
processing raw engin, ‘.ring performance data and commands, affects the 
cost of the data-management subsystem. If the EPS transmits only the 
significant engineering data, e.g., power, energy, and average quanti- 
ties, rather than real-time voltage, current, and temperature, then DMS 
support requirements to the EPS will be significantly lower than in 
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past spacecraft* Also, the local computing and data-storage capability 
of the EPS processor will minimize the requirements on the DMS proces- 
sor in areas such as: 

1) Archival data storage; 

2) Fault diagnosis; 

3) Health monitoring; 

4) Operational state of commandable functions. 

A normal function throughout the life of the space station will be 
software maintenance. The lack of software maintenance may be costly. 
Potential causes of software maintenance problems are: 

1) Inadequate software documentation; 

2) Temptation to save money by cutting corners on software 
documentation; 

3) Inadequate test; 

4) Inadequate quality control; 

3) Inadequate sneak-path analysis; 

6) Many potential interface pitfalls; 

7) Many individuals will work on software over the life of the space 
station; 

8) Configuration-control deficiencies. 
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The ability of the EPS to perform its function in the space station 
will be highly dependent on the software — not only the EPS applications 
programs, but also the computer executive routines. Maintenance and 
documentation of the computer applications and operating software will 
be just as significant as changes to EPS wiring. 

4.8.3 EPS/Astronaut Interface 


The EPS/Astronaut interface will consist of the information display 
about the EPS available to the crew via the onboard control-and-display 
subsystem, and the method for the crew to analyze and control the EPS. 
Display options range from a CRT to a dedicated meter for each parame- 
ter. Command input options range from a computerlike keyboard to a 
dedicated switch for each command. Other aspects of the EPS/Crew in- 
terface are: 

1) Crew command authority; 

2) Crew override; 

3) Automatic validation of commands; 

4) Quick-look problem assessment; 

5) Crew training. 

Design of the EPS/Crew interface has many wide-ranging impacts. The 
first requirement is that the crew be involved in not only the inter- 
face design but also the EPS design. Crew/EPS interface errors can 
cause loss of EPS functions or underuse. For a long-life space sta- 
tion, crew rotation is an operational necessity and crew training will 
be a continuing operation. Inadequately trained and certified crews 
can affect the EPS . Onboard ability to determine the EPS state of 
health quickly and precisely is, therefore, quite essential — especially 
on high-power systems. 



As for the DMS, the extent to which the EPS is automated significantly 
affects the design and cost of the control and display subsystem. 

4.8.4 EPS/Ground Interface 

Almost everything said about the EPS/flight-crew interface applies to 
the EPS/ground-operations interface. Configuration control is a para- 
mount ground activity that has the potential of getting out of con- 
trol. Mistakes in configuration control could affect the EPS. During 
the life of the space station, there will be new flight-operations per- 
sonnel every few months or years . Training and certification will be 
activities that can affect the EPS, if there are deficiencies. Both 
onboard and ground automation has a large effect on the cost of any 
ground-support equipment, actual mission operations, and documentation. 

4.8.5 Modular Buildup 

A space station will be built up in a modular fashion over a period of 
years. This implies adding new structures, modular EPS components, and 
new loads. As new equipment is brought online, there are many poten- 
tial problems such as: 

1) Interface compatibility; 

2) Software growth; 

3) Sneak paths (software and hardware); 

4) Updating of performance capability. 

4.8.6 Thermal-Dissipation Management 

The amount of heat dissipated by the EPS components — in particular, 
power converters, inverters, and batteries- — can exceed the design capa- 
bility of the thermal-control subsystem. Inadequate temperature con- 
trol or thermal-dissipation capability result in the following forms of 
EPS degradation: 

( 


4-54 


1) Reduced bus-power capability; 


2) Reduced battery life; 

3) Reduced power-handling capability. 

An ability to quickly and precisely assess thermal-control problems, 
determine solution approaches, and implement them is mandatory. Be- 
cause user load and housekeeping-subsystem load control is involved, 
thermal-dissipation management and power management must be inte- 
grated. This is a system-level automation function that should be im- 
plemented by the space station’s central computer. 
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TASK 3 - DEFINITION OF AUTOMATION TASKS 


OBJECTIVE AND SCOPE 

The first objective of this task is to develop a candidate list of 
automation activities that could minimize or eliminate the impact iden- 
tified in Task 2 as well as from other activities that affect EPS per- 
formance. The second objective of this task is to create a generic- 
benefits list and identify the range of benefits available from each 
automation activity. 

SUMMARY 

It should be noted that there are basically two ways of automating any 
function or operation. One is to use hardwired logic and circuits con- 
taining discrete devices. The other is via a digital computer. This 
study is oriented toward automation of the second kind, and therefore, 
unless otherwise stated, this report generally implies use of a comput- 
er where automation is discussed. 

Tasks that are generally suitable for automation are: 

Routine Tasks 
Precision Tasks 
Sequential and Timed Tasks 

Tasks That Must be Done on Compressed or Expanded Timeline 
Monitoring 

- Memorization 

- Complex Math or Logical Tasks 


5-1 


Table 5-1 presents the definition of the above general taskB. 


Table 5-1 definition of General Automation Tasks 


Routine Tasks - Routine tasks by their nature are performed frequent- 
ly in the same manner. As such, they are prone to generate errors by 
the astronauts or ground crew. By reducing astronaut and ground-crew 
interaction with the TPS by automating routine tasks, there is the 
potential to reduce workload and errors. Examples of routine tasks 
are battery-charge and -discharge control. 

Precision Tasks - The benefits from automating precision tasks is to 
improve performance. An example of a precision task is solar-array 
pointing. 

Sequential and Timed Tasks - A potential benefit of automating se- 
quential and timed tasks is to eliminate errors. Common errors are 
to eliminate steps, perform steps out of sequence, or perform multi- 
ple steps. An example of sequential and timed tasks are load 
sequencing. 

Tasks That Must Be Done on a Compressed Timeline - Tasks that must be 
done on a compressed timeline may cause an excessive workload for the 
astronaut or ground crew. The benefit from automating this class of 
task is to reduce workload. An example of a compressed timeline 
function is correction of a bus undervoltage. 

Monitoring - A space station will have a large number of monitoring 
tasks. Routine monitoring may be considered a boring task that hu- 
mans perform poorly. The benefits from automating monitoring tasks 
are a reduction in errors and crew boredom. Examples of monitoring 
tasks range from accounting for relay position, battery state of 
charge, and user load-status to doing limit checks such as for cau- 
tion, warning, and alarm. 

Memorization - A benefit from automating tasks requiring both short 
and long-term memory is task simplification. An example of a memori- 
zation task involving detailed knowledge of a component is checkout 
of an assembly. 

Complex Math or Logical Tasks - Consider automating complex mathemat- 
ical tasks to improve mission performance. An example of such a task 
is prediction of the time when a battery will become fully charged 
under varying load scenarios. 


To standardize the definition of automation tasks, six categories of 
generic functions were identified as listed in Table 5-2. 
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Table 5-2 Automation Task Categories 


1.0 Data Handling 

3.0 

Fault Handling 

1.1 Acquisition 


3.1 Fault Detection 

1.2 Processing 


3.2 Fault Isolation 

1.3 Storage 


3.3 Fault Correction 

2.0 Monitoring 

4.0 

Control 

2.1 Operational State 

5.0 

Planning and Operations 

2.2 State of Health 

2.3 Performance Analysis 

2.4 Trend Analysis 

6.0 

Anomaly Handling 


Data Handling - Data handling is required in all other automation tasks 
because they are dependent on input data. Data handling involves ac- 
quisition, processing, and storage of engineering data and commands. 
Data acquisition includes collection of measurements via multiplexing 
and analog-to-digital conversion to digitize the data to put it in a 
form acceptable for processing by digital computers. Processing in- 
volves all of the computational tasks. One of the processing tasks in- 
volved with data acquisition is conversion of the raw-ADC outputs to 
engineering units useful to the human users. Storage refers to storing 
of basic operating and application software as well as the storage of 
raw data and processed data. 

Monitoring - Monitoring is defined to include operational state and 
state of health determination, performance analysis, and trend analy- 
sis. Operational state means the position of all switches, the good/ 
bad status of all components, and the active/inactive status of all EPS 
components. State of health determination deals with determining if a 
particular EPS component is operating within its normal envelope. 

Thus, limit checking and built-in test and checkout are inherent sub- 
functions. If it is operating within its normal envelope, it is 
healthy. If it is operating outside its normal envelope, it may be 
impaired, unhealthy, or it may be in danger of an incipient failure. 

Performance analysis deals with measurable indexes of performance, such 
as solar-array temperature or battery state of charge. Trend analysis 
involves the analysis of a variable as a function of time. Trend anal- 
ysis may involve the analysis of one or many variables as functions of 
time. 
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Fault Handling - Fault handling includes the automation of fault detec- 
tion, isolation, and correction. Faults may be true, false, or transi- 
ent, An important goal of fault-detection automation is to minimize 
the number of false faults declared. The strategy for minimizing false 
or transient faults is to require a fault condition to exist for a time 
greater than a limit time. With hope, the limit time will be greater 
than the transient time. Fault isolation or safing consists of actions 
to remove the faulty component or isolate it from the EPS after a fault 
is declared. Fault correction requires analysis and action to correct 
the fault (switch in a standby redundant unit) or manage it if redun- 
dancy is not available, such as priority-load scheduling to reduce bat- 
tery drain. 

Control - This function is intended to include all routine housekeeping 
and maintenance tasks. Automation of control means mechanization of 
processes to effect the required results. An example of a frequent 
routine control task is the control of battery charge and discharge. 

An example of an infrequent control task is the determination of when 
to recondition a battery. 

Planning and Operations - The planning and operations function involves 
all mission-operations activities. As a result, this is a space-sta- 
tion-level task. Automation of operations management will involve com- 
puter software to close the loop by monitoring the plans as they are 
implemented, evaluating performance, and taking corrective actions. 

Anomaly Handling - Automation of anomaly handling is one of the more 
difficult and challenging tasks . An anomaly can be defined as an un- 
foreseen situation or condition, a situation that is not understood, or 
a condition that can not be resolved by the existing measurements, 
hardware, or computer programs. One characteristic symptom is an oc- 
currence of what appears to be a fault, but the fault is not repetitive 
and has no trend. Anomaly handling appears to be a candidate area for 
implementation via expert-system approach. 
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A general statement of benefits from EPS automation, which was devel- 
oped for use in Task 3, is listed in Table 5-3. 


Table 5-3 Benefits from EPS Automation 


No. 

Description 

1 

Increased Life 

2 

Increased Reliability, Maintainability, and Safety 

3 

Improved Performance 

4 

Reduce Cost 

4.1 Subassembly (Black Box) 

4.2 Subsystem 

4.3 Spacecraft 

4.4 Launch Operations 

4.5 Flight Operations 

4.6 Inflight Fault Detection, Maintenance, and Servicing 

4.7 Design, Development, Test, Evaluation (DDTE) 

4.8 Ground-Support Personnel Labor 

4.9 Ground-Support Equipment (Prelaunch & Flight Operations) 

4.10 C&DH Subsystem 

4.11 Thermal-Control Subsystem 

4.12 Life-Support Subsystem 

4.13 Crew Training Simulator/C&D Subsystem 

5 

Reduced Maintenance 

6 

Able to Overcome Technology Limitations 

7 

Reduced Astronaut/Power Subsystem Interaction 

8 

Reduced Number of Ground-Support Personnel 

9 

Reduced New-Subsystem Familiarization/Training Time 

10 

Reduced PV-Array Size and Weight 

11 

Reduced Battery Size and Weight 

12 

Reduced Power-Conditioning Size and Weight 

13 

Minimized Human Error 

14 

Allows Space Operation without Crew 

15 

Provides Real-Time Short-Response Control 

16 

Reduced Software and Hardware Interfaces to C&DH Subsystem 

17 

Improved Security and Survivability 

18 

Enables a Given Task, Operation, or Mission 


This benefits list is a compilation of all automation-benefits lists 
from present and previous studies involving autonomy and automation. 
Note that the benefits can be grouped into one of the following action 
categories: 
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Increase 
- Improve 
Reduce 
Overcome 
Minimize 
Allow 
Provide 
Enable 

Analysis of the benefits list in Table 5-3 shows that this list con- 
sists of a benefit category and a space station parameters column that 
is affected by automation. To provide more weight into the range of 
benefits potentially available from EPS automation, the space-station 
EPS parameter benefiting from automation is given as a function of the 
benefit action in Table 5-4. 


Table 5-4 

Benefit Action and Space Station Parameter Impacted by Automation 


Action 



Benefits 

- Increase 

- Life, Reliability, Maintainability Safety 

- Improve 

- Performance, Security, Survivability 

- Reduce 

- Cost 


- Maintenance 


- Astronaut/EPS Interaction 


- Number of Ground-Support Personnel 


- New Subsystem Training Time 


- PV Array Size and Weight 


- Battery Size and Weight 


■*- Power Conditioning Size and Weight 

- Minimize 

- Human Error 

- Allow 

- Operation without Crew 

- Provide 

- Real-Time Short Response Control 


An inspection of Table 5-4 shows that the first result of automation is 
to increase, improve, allow, or provide for that which is desirable. 
Such space-station attributes as enhanced life and performance, ability 
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to operate without a crew, and real-time short-response control capa- 
bility are all needed. The effect of EPS automation is to enable these 
needs. 

The second benefit of automation is to reduce or minimize undesirable 
characteristics. It is desirable to reduce or minimize cost, astronaut 
EPS Interaction, size, weight, and human error. The effect of EPS 
automation is to reduce and minimize these undesirable EPS 
characteristics . 

A matrix of benefits for each generic automation task is given in Table 
5-5, and a brief summary of general approach to satisfy each automation 
goal is presented in Table 5-6. 


Table 5-5 List of Benefits for Generic Automation Task 


Automation Task 

Benefits * 


1 2 3 4.1 4.2 4.3 

4.4 4 f 5 

4.6 4.7 

4.8 

4.9 

4.10 4.11 *.i; 

> 4.13 5 

6 

7 

s 

9 

10 11 

12 

13 

14 

15 

16 

17 

1) Data Handling 

xxx x x 

X X 

X X 

X 

X 

X X 

X 

X 


X 

X 

X 




X 

X 

X 

X 

X 

2) Monitoring 

XXX X 


X X 

X 

X 



X X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

X 

3) Fault Handling 

XXX 

X 

X 

X 

X 



X 

X 

x 

X 

X 

X 

X 

X 

X 

X 

X 

X 

x 

4) Control 

X X X 

X 


X 

X 




X 

X 



X 

X 

X 

X 

X 




5) Planning and 

XXX 




















Operations 





















6) Anomaly 

X x X 

X 

X 

X 





X 

X 






X 

X 

X 


X 

Handling 






















*See Table 5 -3 




y 

8 
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Table 5-6 Bene fibs from EPS Automation 


Automation Goal 

General Approach 

1.0 

Increase life. 

- Minimize b tress on EPS during a 




normal operation and allow con- 
tinuous operation in degraded 
mode. 

2.0 

Increase reliability. 

- Detect, isolate, and correct 


maintainability and safety. 

faults quickly. 

3.0 

Improve performance. 

- Operate EPS close to its limits. 




especially during degraded modes. 

4.0 

Reduce cost. 



4.1 

Subassembly (black 
box) * 

- Replace number of discrete parts. 


4.2 

Subsystem. 

- Do via software rather than 




hardware, wherever possible. 


4.3 

Spacecraft. 

- Automate EPS to reduce other 




subsystem costs; automated test 
and checkout. 


4.4 

Launch operations. 

- Automated test and checkout. 


4.5 

Flight operations. 

- Reduce astronaut involvement in 




EPS monitoring and control, 
astronaut freed for other 
activities. 


4.6 

Inflight fault detec- 

- Reduce astronaut, ground/EPS 



tion, maintenance, and 
servicing. 

interaction. 


4.7 

DDTE (Design, Develop- 

- Minimize design freeze via use of 



ment, Test, 
Evaluation) . 

software. 


4.8 

Ground-support 

- Automate EPS monitoring and 



personnel labor. 

control. 


4.9 

Ground-support 

- Onboard test and checkout, and 



equipment (prelaunch 

fault handling reduce ground- 



& flight operations) . 

support equipment. 


4.10 

Data-management 

- Reduce data and command 



subsystem. 

interfaces due to EPS. 


4.11 

Thermal control 

- Minimize thermal-dissipation 



subsystem 

management via EPS automation. 


4.12 

Life-support subsystem. 

- Do integrated load control 


4.13 

Crew-training simula- 
tor and C&D subsystem. 


5.0 

Reduce maintenance. 

- Fault-handling automation will 




allow maintenance to be done on 
convenient schedule. Automatic 
monitoring functions and redun- 
dancy management. 
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Table 5-6 (aont) 


m 


6.0 Overcome technology 
limitations . 


7.0 Reduce astronaut/power 
subsystem interaction. 

8.0 Reduce number of ground 
support personnel. 

9.0 Reduce new subsystem famil- 
iarization/training time. 

10.0 Reduce PV-array size and 
weight. 


11.0 Reduce Battery size and 
weight . 

12.0 Reduce power-conditioning 
size and weight. 

13.0 Minimize human error* 


14.0 Allow space operation 
without crew. 

15.0 Provide real-time short 
response control. 

16.0 Reduce software/hardware 
interfaces to command and 
data management subsystems. 


5 17.0 Improve security and 
j survivability. 


- Overcome limited component 
lifetimes by fault handling and 
redundancy. 

- Hardware and software automate 
fault handling, reducing astro- 
naut-EPS interaction. 

- Hardware and software automate 
fault handling, reducing need 
for ground support. 

- Reduces penalty associated with 
operator mistake. 

- Via automation, optimize use of 
available power, and road 
management . 

- (Same as above.) 


- (Same as above.) 


- Automate sequential, routine, 
boring tasks. 

- Automate EPS monitoring control, 
and fault handling functions. 

- Onboard hardware and software 
available in real time. 

- Use digital-data interface and 
minimize analog-data interface; 
transmit processed engineering 
parameters (pwr, energy) and 
average quantities to minimize 
raw-data flow. 

- Automation of fault handling 
provides continuous fault han- 
dling not interrupted by commun- 
ications problems, operator 
error, or operator distracted to 
higher-priority task. 





Table 5-6 (oonel) 


18.0 Enable: 


a) 

Mission. 

- Reduction of array and battery 

b) 


weight through EPS and load man- 
agement, enables certain mis- 
sions to use photovoltaic system. 

Autonomous operation. 

- Automation of all critical moni- 



toring and control tasks previ- 
ously done on ground. 


5.1 fault-handling tasks 

The automation tasks identified in Table 5-2 and the benefits list 
identified in Table 5-3 were used to analyze the faults and activities 
identified in Task 2. The approach taken was to identify the automa- 
tion function required to resolve or permit a workaround solution for 
each of the failure modes identified for each selected EPS component. 
The results of this analysis are shown in Tables 5.1-1 thru 5.1-19 at 
the end of this chapter. 

5.2 MONITORING TASKS 

Monitoring tasks consists of (1) operational state determination, (2) 
state-of-health determination, and (3) performance and trend analysis. 
Self-test and checkout are included under state of health. Table 5.2-1 
(at the end of this chapter) is a list of specific subtasks identified 
for the photovoltaic/battery power subsystem. 

5.3 CONTROL TASKS 

All routine control functions are included in this category. Table 
5.3-1 (at the end of this chapter) lists specific examples for several 
subsystem components. 

5.4 PLANNING AND OPERATIONS TASKS 

Planning and operations tasks involve all activities required by the 
space station, flight crew, and/or the ground crew to satisfy the mis- 
sion-operations requirements. The principal task identified is that of 
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electrical-consumables management or simply energy management. This is 
a system-level task because it affects not only various housekeeping 
subsystem functions but also the operational sequence of experiments. 

The energy management goals are to: 

1) Provide the required power under uormal and degraded mission modes; 

2) Maintain a positive average bus power margin; 

3) Extend battery life and minimize battery maintenance. 

It is further intended that the above goals should be fully automated 
with lesser autonomy initially, but growing into a fully autonomous 
onorbit capability, Achieving these goals will provide benefits such 
as reducing ground labor and equipment costs, improving flight crew and 
ground-crew productivity, and allowing complex, concurrent operations 
with minimal human error. 


Table 5.1-1 

Solar Array Failure Modes , Automation Candidates and Benefits 


Failure 

Mode 

Automation 

Task* 

Method 

Benefits** 

Lose Power from 

1, 2, 3 

1) Determine status of all 

4.5, 4.6, 

Part of Array 


subarrays via limit 

4.8, 7, 



checks, and identify 

8, 10 

Fail to Track 

1, 2, 3 

failed or degraded 


Sun 


subarrays . 




2) Determine total array 


Degraded Abil- 

1, 2, 3 

power available. 


ity to Track 


3) Calculate total array 


Sun 


power degradation. 




4) Determine impact on bus 


Plasma 

1, 2 

load-handling capability. 


Interaction 


5) Maintain state-of-health 




and performance trend 


Long Term 

1, 2 

data. 


Degradation 


6) Isolate failed subarrays. 


Excessive 

CM 

* 

iH 



Charged 




Particle 




Degradation. 





*See Table 5.1-2. 
**See Table 5.1-3. 


Table 5.1-2 Gimbals Failure Modes, Automation Candidates and Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Slip Ring Short, 

1, 2, 3 

Periodically calculate 

4.6, 4.8, 

or Roll Ring- 


P(IN) & P(OUT). Archive 

7, 8, 15 

Twist Flex Open, 


data, trend-analysis 


or Degradation 


projections. Pinpoint 




failure. 


Rotary 

1, 2, 3 

Same as above plus under- 


Transformer Fail 


voltage management, 


or Degrade 


redundancy switching. 





Table 5.1-3 

Da/Do Converter, P 2 Type Failure Modes, Automation Candidates and 
Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Shorted Series 
Pass Transistor 

1, 2, 3 

Detect overvoltage and 
close shunt switch. 

1, 2, 4.5, 
4.6, 6, 7, 15 

Low Vq UT 

1, 2, 3 

Sense Vqjj<£. When valid 
undervoltage, prior and 
load sheet and bus test. 
Determine P3 good/bad. 
Determine V-^j good/bad. 
If P3 bad, switch-in 
backup, priority load 
connect. If P3 good, 
source overloaded, limit 
loads reconnected. 


Efficiency 

Below 

Acceptable 

1, 2, 3 

Switch backup online, use 
low-efficiency one as 
standby. 

3, 5, 7, 8 

V IN High 

1, 2, 3 

• 

Monitor Vjjj. P3 shut- 
down on Vjjj HI. Shift 
load& to another P3, or 
add loads to one with H2 

V IN* 

2, 6, 7, 15 

IlN Hi S h 

1, 2, 3 

Priority load shed, then 
if still failed, switch 
off and bring on backup. 


■ 

High Internal 
Temp 

. 

1, 2, 3 

Monitor temps, shut down 
on overtemp. Bring back 
up online. Priority load 
add. 


Iqut Overload 

1, 2, 3 

Monitor Ioui> compare 
to limit, support for 
programmed time, turn off 
pause, restart. 
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Table 5.1-4 

Battery Charger (p3) Failure Modes 3 Automation Candidates and Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Failure Mode, 
Batt V, I, or T 
Overlimit 

1, 2, 3 

Monitor, limit check, re- 
duce charge V&I; if still 
over limit, turn off. 

2, 4.6, 4.8, 
7, 8, 13 

Battery-Charger 
Mode, Solar-Array 
Voltage Collapse 

1, 2, 3 

Sense V across series- 
pass transistor & when 
less than limit, turn 
P3 off, pause until 
solar array recovers, 
then restart. 

2, 6, 7, 15 

Piece-Part Fail- 
ure in Stabiliza- 
tion Circuit, or 
Output Filter Cap 
Open-Useable, But 
Increased Ripple 
Voltage 

1, 2, 3 

Onboard computer analysis 
of time response, compare 
spectrum to nominal, 
detect failure, use this 
one as standby. 

4, 6, 4.8, 7 


Table 5.1-5 

Transformer Coupled Converter Failure Modes , Automation Candidates and 
Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Output Over/ 
Under Volt^jp- 

1, 2, 3 

Output V sense, limit check 
for undervoltage, hardware 
over V detect & shunt trip, 
priority load removal, reap- 
ply, switch backup on line. 

6, 7, 15 

Low Efficiency 

1, 2, 3 

Periodically calculate effi- 
ciency, switch low unit to 

backup status. 

■ 

6, 7, 15 

Input V, I, T 
Out of Limit 

1, 2, 3 

Monitor, limit check, turn 
off for out of limit, bring 
back up online. 

6, 7, 15 








Table 5. 1-6 

Series Resonant Inverter (Vo/ Ac) Failure Modes t Automation Candidates 
and Benefits 


Failure 

Automation 




Mode 

Candidate 

Method 

Benefits 

Input Cap 

1. 

2, 3 

Input cap over V detect & 

2 * 4, 

6, 4.8, 

Overvoltage 



shutdown. Bring back up 
online & priority connect 

7 





loads. 



Output Over 

1, 

2, 3 

Monitor & limit check out- 

2, 4, 

4.6, 7 

Undervoltage 


• 

put voltage, turn off on 
over V, on under V priority 
remove loads, find failure 
in SRI or source, start 
backup and priority load 
connect. 

■ 

■ 

Input Fuse 

1, 

2, 3 

Monitor fuse status; if 

1 


Open 



bad, start back up, alert 
higher levels that this 
SRI is bad. 




Table 5.1-7 

Solar Array Voltage Controller Failure Modes , Automation Candidates and 
Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Discrete Switch 
Failure to 
Operate 

1, 2, 3 

Direct Monitor, extra set 
of contracts, indirect 
monitor, I & V. 

2, 3, 4.6, 
4.8, 7, 15 

Solar Array 
Battery Share 
Mode 

1. 2, 3 

Monitor solar array V & 

Bat I during sun. If Bat 
is discharging when it 
should be charging, remove 
loads on priority basis to 
allow array to recover, or 
use boost conv to raise 
array V. 


Control Elec- 
tronics Failure 
Causes Solar 
Oscillations 

■■ 

1, 2, 3 

Compare measured to theo- 
retical solar bus power, 
or use spectrum of bus V, 
unwanted harmonics mean a 
failure. 

; 


Closed Loop 

Controller 

Failure 

1, 2, 3 

Monitor error signal, sat- 
urated error signal means 
failure, switch-on backup 
unit . 
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Table 5.1-8 

NiCd and BiE^ Batteries Failure Modes , Automation Candidates and 
Benefits 


Failure 

Mode 


Automation 

Candidate 


Method 


Benefits 


Low Discharge 
Voltage (DV) 

- Cell or 
Module 


1. 2, 3 


1) Compare the EODV with aver- 1, 2, 4.8 
age EODV all other cells 7, 8, 11 
or modules (EODV) within 
one battery string. 


I 


2) Reestablish EODV caution, 
warning, and alarm limits 
based on trend data. 


3) When alarm limit is 

reached, and EODV limit, 
try load shedding during 
each successive discharge 
period, increasing the 
amount of load power re- 
moved as the EODV 
decreases. 


- Battery 


1, 2, 3 


Cell Short or 
Open 


1, 2, 3 


Cell Voltage 
Reversal 
during 
Discharge. 


1, 2, 3 


1) Compare the EODV with 
those of other batteries 
(EODV) . 

2) Same as 2 above. 


3) Same as 3 above. 


1) Monitor individual cell 

voltages and verify shorted 
cell (check charge, dis- 
charge, and open-circuit 
voltages of cells and 
battery) . 


6 


2) Bypass shorted cell; 
replace with spare cell 
following charge 
equalization procedure. 


1) If reverse voltage alarm 
limit : 

- Bypass that cell, and/or 

- Reduce load on battery or 

- Remove battery until DV 
is positive. 


1, 2, 4.8, 
7, 8, 11 
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Table 5.1-8 (aont) 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Cell Under- 
pressure dur- 
ing Charge 
or Discharge, 
or Low Bat- 
tery Capacity 

1, 2, 3 

. 

1) Determine if cell(s) has 
partial short; compare 
with other cells for exces- 
sive unbalance in pressure. 

2) Determine if battery was 
excessively discharged or 
undercharged in previous 
cycle . 

3) If sufficient recharge 
power is available, in- 
crease the RF by 0.03 in 
subsequent cycles; monitor 
battery EODV and average 
end of discharge pressure 
(EODP). 

5) If EODV and/or EODP do not 
increase In each cycle, 
reduce battery load and/or 
remove battery during each 
eclipse period, and continue 
until EODV and EODP have 
attained normal values. 

2) During subsequent charge/ 
discharge cycles; 

- Increase recharge 
fraction (RF) , 

- Reduce load on battery or 

- Remove battery during 
eclipse periods. 

3) Determine Goodness /Badness 
of cell by comparison with 
other cell performance. 

1, 2, 11 

Cell 

Overpressure 
during Charge 

1, 2, 3 

1) Determine if cell is being 
severely overcharged (check 
RF, cell temperature, 
charge-voltage limits) . 

1, 2, 4, 8, 
7, 11, 15 







Table 5,1-8 (aonal) 


Failure 

Mode 


Automation 

Candidate 


Method 


Benefits 


2) Reduce charge current or 
charge voltage, or remove 
battery. 


Excessive 

Battery 

Temperature 


1, 2, 3 


3) Check for excessive unbal- 
ance in pressure relative 
to other cells in battery. 

1) Determine cause(s) of ex- 1, 2, 4, 8, 

cessive temperature. 7, 11, 15 

- Excessive overcharging 

- Excessive discharge rate 
or DOD 

- Thermal-control failure 

- Spacecraft orientation so 
the battery is exposed to 
sunlight . 

2) If it is due to excessive 
overcharging, reduce RF or 
charge rate; if caused by 
excessive discharge rate, 
thermal-control failure, or 
spacecraft orientation, 
reduce battery load; con- 
tinue until it attains 
normal temperature. 


High Charge 
Voltage (CV) 


1) Determine Cause(s) of 1, 2, 11, 

High CV: 15 

- Charge controller failure 
(to clamp voltage) 

- Temperature sensor failure 

2) Reduce battery current 

by array section switching. 


Table 5.1-9 

Housekeeping Supplies Failure Modes , Automation Candidates and Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Voltage Current 

1, 2, 3 

Direct monitor, limit check, 

2 

Hi/Lo Out of 


switch to back up if avail- 


Limit 


able, report status. 
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Table 5.1-10 

Magnetic Latching Relay Failure Modes , Automation Candidates and 
Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Failure to Trans- 
fer, Spurious 
Transfer, Relay 
Driver Fails, or 
Contacts Open or 
Welded Shut 

1, 2, 3 

Verify command executed 
by direct and indirect 
determination of relay 
position. Automatic re- 
entry of a failed command. 
Periodically compare relay 
commands to position, and 
report differences. 

2, 4, 6, 
4.8, 8 

Relay Oscillates 

1, 2, 3 

Look for measure of output, 
amplitude harmonics. 

2, 4, 6, 
4.8, 8 

Table 5.1-11 
Motor driven Switch 

Failure Modes , Automation Candidates and Benefits 

Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Fail to Transfer, 
or Spurious 
Transfer 

1, 2, 3 

Command verification & peri- 
odic position monitoring 
(see Mag Latch Relays). 

2, 4.8, 4 

















Table 5.1-12 

Remote Power Controller Failure Modes > Automation Candidates and 
Benefits 


Failure 

Mode 

- 

Automation 

Candidate 

. ....... 

Method 

Benefits 

Fail to Transfer, 

1, 2, 3 

Verify command executed by 

2, 4.6, 

Spurious Trans- 


direct and indirect method. 

4.8, 7, 8 

fer. Relay Driver 


Automatic reentry of a 


Fails, Contacts 


failed command, report a 


Open or Welded 


failed command. Periodl- 


Shut. Thermal 


cally compare relay com- 


Failure Causes 


mands to position and 


RPC Cold Plate 


report differences. 


Temp to Increase 




RPC Oscillates or 

1, 2, 3 

Measure spectrum of out- 


Fails to Limit 


look, look for high-ampli- 


Rise of Current 


tude harmonics. 


Fail to Limit 


Same as above. This can 


Current Fall 


work for small inductance. 


(-di/dt) 


For large inductance, RPC 



' 

destroyed after failure. 


RPC 3 Second 

' 

Computer timer monitors 


Timer Fails. RPC 


fault current and trip in- 


Carries Fault 


dicator on RPC. When fault 


Current until RPC 


clear-time exceeds RPC 


Internal Fuse 


carry time and no trip 


Opens 


indicator, report as 




failed or anomalous RPC. 



Table 5 . 1-13 Fuses Failure Modes > Automation Candidates , and Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Open 

1, 2, 3 

Determine fuse state good/bad direct 
or indirect. Direct determination 
by blown fuse indicator, indirect 
by input, output current & voltage 
sensors. Periodically monitor and 
report status. Store time when fail- 
ure first detected. 

2, 4.6, 
4.8, 7, 8 








Table 5.1-14 

Circuit Breakers Failure Modes, Automation Candidates and Benefits 


pi 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Assumed Manual 


Direct or indirect posi- 

2, 4.6, 

Breaker. Open 


tion measurement. Peri- 

4.8, 7, 8 

When Should Be 


odically compare manual 


Closed, or Closed 


command table to measured 


When It Should 


position, store time of 


Open 

| 

change and report status. 



Table 5.1-15 Cabling Failure Modes , Automation Candidates and Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Cable Opens, 
Insulation Shorts 
Wire-to-Wlre or 
Wire-to-Return 

1, 2, 3 

Monitor source loads, 
load switching 

2, 4.6, 4.8, 
7, 8, 13, 

14, 15, 17 

Insulation 
Degrades due to 
Overtemperature 
in Cable 

1, 2, 3 

. 

. 

Monitor cable temp sen- 
sors & li«|t check. Re- 
port s tat MR to next com- 
puter. Higher isyisl to 
shed loads on priority 
basis to decrease cable 
temps, or decide to tol- 
erate on a limited, moni- 
tored basis. Higher- 
level decision required. 

1, 2, 4.8, 
7, 8, 15, 
17 

Thermal Subsystem 
Failure 

1, 2, 3 

Same as above. 

(Same as 
above) 

Modular Buildup 
or Attitude- 
Control Mode 

1, 2, 3 

Same as above. Resource 
protection automated. 
System fault may require 
human involvement for 
correction. 

(Same as 
above ) 


















Table 5,1-26 

Sensors and Signal Conversion Failure Modes , Automation Candidates and 
Benefits 


Failure 

Mole 

Automation 

Candidate 

Method 

Benefits 

Catastrophic 

Failure 

1, 2, 3 

Limit checks, compare to re- 
dundant unit, check state of 
user, periodically report 
status. 

1, 2, 4.6, 
4.8, 7, 8 

Drift 

1. 2 

Compare redundant units, sum 
V, I, P & check deltas from 
zero, trend analysis, period- 
ically report status. 


Out of 
Calibration 

1, 2 

No practical method now (de- 
sirable to develop). 

1, 2, 6 

Antialiasing 
Filter or ADC 
Ground Open 

1, 2, 3 

Inject reference signal with 
harmonics into filter and 
ADC. Observe several samples, 
if good, all ADC outputs with- 
in limits. Report status. 

1, 2, 4.6, 
4.8, 7, 8 


Table 5.1-17 

LiSOCli Battery Failure Modes 3 Automation Candidates 3 and Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Fail While Not 

Operating, 

Open-Shorted 

. 

1, 2 

Monitor bat. & cell V, peri- 
odic short-term loading to 
verify operational & prove 
backup capability exists, 
trend analysis. 

1, 2, 4.6, 
4.8, 7, 8 

System Failure 
or False Emer- 
gency Causes 
Battery To Be 
Put Online 

1, 2, 3 

: 

Monitor Mi out & report prtofe- 
avJ.y time battery <jill last 
at present date of discharge. 
Also, output time bat. would 
last at other rates of dis- 
charge, store all removed 
because when emergency over, 
bat. fault-management capac- 
ity will be lowered. 

I > 2 , 4.6, 
4.8, 7, 8 
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Table 5.1-18 

Chemical Turbomachinery Failure Modes , Automation Candidates , and 
Benefits 


' ****• 

V K Lure 

Automation 

Candidate 

Method 

Benefits 

Fa.U While Not 
Operating 

1, 2 

Monitor reactant pressure, 
amount remaining, critical 
temps, periodic short-term 
operation to verify backup 
to capability trend analysis, 
report status. 

1, 2, 4.6, 
4.8, 7, 8 

Some Failure 
Causes Compon- 
ent to Turn on 
& Supply Power 

1, 2, 3 

Monitor rate of reactant use 
& printout of time remaining 
at several different rates. 
Store consumables data be- 
cause when use over, fault 
management capability will be 
lowered. 

1, 2, 4.6, 
4.8, 7, 8 
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Table 5.1-19 


Otehr Subsystems and Activities Failure Modes > Automation Candidates , 
and Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 

Flexible 
Structures and 
Control, 
Oscillations 

Not a 
Candidate 



Data System 
Degraded; Data 
Rates; CPU 

1, 2, 3, 

Automatic scaledown of EPS 
computation, shift high-level 
automation to ground. 

1, 2, 4.6, 
4.8, 7, 8 

EPS /Crew/ Gnd 
Interface 
- Invalid 
Commands 

1, 2, 3, 6 

Real-time validation of all 
commands, prompting of crew 
on consequences overriding 
auto function. 

1, 2, 4.6, 
4.8, 7, 8 

- Inadequate 
Training 

1, 2 

Computerized training, con- 
figuration update, prompting 
by computer. 

4, 13, 9 

Activity, 

Software 

Maintenance 

1, 2 

. 

Specialized software tools. 

9, 13 

Thermal Con- 
trol Can Not 
Maintain EPS 
Temperatures 

1, 2, 3 

Integrated design of high- 
level control of thermal & 
EPS required. 

1, 2, 4.6, 
4.8, 7, 8 

User Loads, 
Open, Short or 
Changed 
Impedance 

1, 2, 3 

Periodically calculates Z, 
limit check, output status, 
& trend. 

For additional SOH informa- 
tion, take time-response 
of V&I. Extract spectrum. 
Compare spectrum and time 
response to nominals stored 
in computer. 

1, 2, 4.6, 
4.8, 7, 8 



Table 5.B-1 Monitoring Task Examples 

Operational State Determination 

- Number and Identity of Components Online, Offline, or Failed Relay 
Position and Command State 

State of Health 

- Solar Array, Batteries, Power Conditioning, Bias (Housekeeping) 
Power Supplies 

- Built-in Test and Checkout (Limit Checks) 

Performance and Trend Analyses 

- Solar Array 

- Normalized Peak Power (NPP)j Available Average Power/Daytime vs 
Orbit Number 

- NPP and I sc Degradation 

- Minimum, Average, and Maximum Temperature 

- Batteries 

- SOC, DOD, EODV, and EOCV Limit vs Orbit Number 

- Average Temperature during Charge and Discharge vs Orbit Number 

- Total Number of Cycles above X% DOD, Y% DOD 

- Number of Cycles Since Last Reconditioning 

- Battery Recharge Fraction vs Orbit Number 

- Bus Power Capability (Orbital Average, Average Power Margin) 

- Bus Load (Day, Night, and Orbit Average) 

- Converters and Inverters 

- Efficiency 

- Output Impedance 

- Load Equipment 

- Input Impedance 

Table 5.3-1 Control Task Examples 

Solar Array 

- Orientation Control 

- Voltage Regulation 

Batteries 

- Charge and Discharge Control 

- Spare Module or Cell Management 

- Reconditioning 

- Redundancy 

Converters 

- Loadsiiaring Control 

- Redundancy Management 

Imbedded Controller (e.g., P^ Converter): 

- Mode Control (Voltage Regulator or Battery Charger) 

- Internal Fault Detection and Isolation 

- Overload Handling 

- Output-Voltage Programming 
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TASK 4 - PARTITIONING OF AUTOMATION FUNCTIONS 


OBJECTIVES AND SCOPE 

The objectives of Task 4 vrere to develop a method for partitioning the 
automation activities between the EPS, Space Station System, and the 
ground, and to partition all EPS-autoraation candidates developed in 
Task 3 . . 

SUMMARY 

The partitioning method used was as follows. First, the time critical- 
ity of the function is determined. From this analysis, functions can 
be separated into (1) time-critical functions that require dedicated 
hardware, such as bus overvoltage, and (2) functions that do not re- 
quire the fast response time and are candidates to be performed by a 
computer. Next, the location where the task is to be performed and the 
resources to do the task are Identified. A determination is then made 
of the external interface impacts — Are the impacts totally within the 
EPS? Or are these impacts outside the EPS? General criteria is estab- 
lished for partitioning the automation functions are as follows: 

Dedicated hardware are to be located in the EPS component; 

-■ Fault detection, isolation, and correction can be partitioned to 
different levels; 

To be partitioned to the EPS, the fault must originate in the EPS; 
the correction resources should be in the EPS; and there should be 
no impacts outside the EPS. 

Finally, the last step consists of considering each function parti- 
tioned to the EPS, the space station system, and the ground, and pro- 
viding rationale for or against each partitioning. Partitioning can be 
facilitated in terms of where sensing, analyzing, and acting should 
best be performed. 
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6.1 


GENERAL METHOD 


6.1.1 Fault-Handling Partitioning of Tasks 

The methodology for partitioning Is firmly grounded In an analysis of 
the time criticality of the fault, a partitioning of the automation 
task between hardware or software based on (.he time criticality, an 
identification of where the fault i3 defined and where the correction 
resources are, and an identification of the external impacts of the 
fault. One of the study ground rules was that the partitioning would 
be to the EPS, Space Station System, or to the ground. General parti- 
tioning criteria were developed. Each specific fault was considered 
partitioned to each of the three areas, EPS System, and ground, and 
recommendations and rationale for each particular partitioning were 
given. It was considered just as significant to give rationale for not 
partitioning a function to one area as it was to provide rationale for 
partitioning a function to the area of optimal benefit. 

The following sections present the detail steps in the automation-par- 
titioning method. 

Identify Fault - The first step in the partitioning process is to iden- 
tify the fault being studied. The fault is primarily identified by EPS 
assembly and the specific fault, A further identification of the fault 
can be made in terms of its operational Impact identified in Task 2'. 

Time Criticality - Time criticality is defined as the length of time 
between a fault occurrence and when the fault impact will be experi- 
enced by the Space Station if the fault is not safed and corrected. 

The smaller the time interval between a fault occurrence and the im- 
pact, the more time-critical is the fault. The time interval can be 
identified in units of milliseconds, seconds, minutes, fractions of an 
orbit, or multiples of the orbit period. The time criticality is spec- 
ified by the time duration between fault occurrence and impact onset 
and a gross evaluation of YES/NO for time criticality. 
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The first use made of time criticality is to identify those faults that 
are so fast that they require hardware for sensing, safing, and correc- 
tion as opposed to faults that are slower and could be handled by soft- 
ware. A second use made of time criticality is to aid in partitioning 
and assigning a priority to fault handling in the event of simultaneous 
fault. 

Hardware/Sof tware Partitioning - Time criticality is used to separate 
those faults that require dedicated hardware for handling from those 
slower faults that could be done by software. Additionally, there can 
be hierarchy of protection levels. For example, say the maximum tem- 
perature in an assembly is not to exceed 80 °C. Software could be used 
to monitor a temperature transducer and shut the assembly down if the 
temperature exceeded 74 +2°C. Functional redundancy could be provided 
by a bimetallic switch that would disable and protect the assembly if 
the temperature were 78 +2°C. In this case, a hardware backup was pro- 
vided for a primary software system. 

Fault Definition Level - An identification must be made of where in the 
Space-Station functional architecture the fault can be defined. The 
lowest identifiable failure level may not be the same as the lowest 
replaceable level. For example, battery cells will be packaged in mod- 
ules. The lowest identifiable failure level will be the cell level, 
but the lowest replaceable level is the module. 

Exactly where the lowest identifiable fault-definition level and re- 
placement level will be is not known now because they will be functions 
of packaging and how much redundancy is built into each black box. If 
the choice is made for block redundancy at the black-box level, then 
the lowest identifiable and the replacement levels will be the same. 

If the decision is made to package standby redundant elements In each 
black box, then the lowest identifiable fault level will be below the 
black-box level . 
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For purposes of this study, faults will be defined at the following 
levels: 

- Lowest Identifiable Level 
Lowest Replaceable Level 

- EPS Level 
Space-Station-System Level 

As previously stated, it is not known now where the lowest identifiable 
level will be, but is important to identify this level for Input to the 
fault-correction process. Examples of black-box-level faults are fuse 
failure, relay failure, RPC failure, nonredundant power converter pack- 
age , or battery-module failure. Some of the more complex failures will 
be defined at the EPS level. Examples of EPS level faults are a fail 
to charge batteries due to a solat-array voltage collapse, or a user 
bus-undervoltage due to a power-converter or power-source failure. 

Both of these examples would require EPS-level information to detect, 
analyze, and correct. Faults defined at the Space Station System are 
those faults that have systemwide impacts as to require system informa- 
tion to define and correct. Examples of system faults are a thermal- 
subsystem failure that limits the amount of waste heat that can be re- 
moved from the EPS, or oscillations in the flexible structure that 
affect solar-array pointing. Both of these failures will have system- 
wide impacts and would require system-level information to detect and 
correct. 

Identify Level-of-Correction Resources - It is important to identify 
where the correction resources are to help in the partitioning proc- 
ess. For purposes of this study, correction resources are identified 
at the following levels: 
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1) Lowest Identifiable Level; 

2) EPS Level; 

3) Space Station System Level. 

The partitioning process is aided by this resource-level Identifica- 
tion. If the correction resources are in the EPS, then the decision- 
making authority may be at the EPS level. If the correction resources 
are not at the EPS level, but at the Space Station System level, then 
it is that the decision making authority can not be concentrated at the 
EPS level. Decisions of the Space Station System level will be 
required. 

Identify External Impacts - The purpose of this step is to classify the 
faults into two impact categories: 

1) No impact outside EPS; 

2) Impact outside EPS. 

Impacts outside the EPS can, of course, be broken down into various 
other categories such as operating-schedule changes, safety-margin im- 
pacts, spacecraft-operating-mode impacts, or payload impacts. For pur- 
poses of this study, it was deemed sufficient to use two categories, 

(1) no impact outside EPS, and (2) impact outside the EPS. 

External-impact assessment will be use as an aid in the partitioning 
process. Faults that do not have an impact outside the EPS are candi- 
dates for handling at the EPS level. If the fault has an impact out- 
side the EPS, then it is likely some decisionmaking authority will have 
to be assigned to the Space Station System. 

Partitioning Ground Rules - The ground rules for partitioning the auto- 
mation functions were established by MSFC. The automations functions 
will be partitioned among the following three areas: 
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1) EPS; 


2) Space Station System (Central Computer-assumed); 

3 ) Ground . 

The above three areas are the lowest level of detail for functions to 
be partitioned. For example, if a function is partitioned to the EPS, 
we will not try to assign it to a distributed- or a central-EPS proc- 
essor. Further, if a function is partitioned to the ground, we shall 
not try to assign it to a flight-operations or flight-support center. 
Also, we will not affect, make any assumptions about, or drive the com- 
puter architecture with any of the partitioning activities. 

Criteria for Partitioning - The following is a discussion of general 
criteria for partitioning that were developed. All of the criteria are 
obtained by application of conservative engineering judgment to the 
material developed in the previous steps. 

Time-critical-hardware functions should be done in the EPS. If a func- 
tion is time-critical and requires dedicated hardware to perform, then 
the hardware can not be put on the ground, but must be onboard the 
spacecraft. 

Functions that can be performed by either hardware or software should 
be analyzed further to point out the advantages and disadvantages of a 
hardware or software implementation. The overriding reason for parti- 
tioning a function to hardware is time criticality. Reasons for as- 
signing functions to software are: 

1) Flexibility; 

2 ) Reprogrammable ; 

3) Fast response to changing or unforeseen mission requirements. 
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A reason for assigning a protection function to both hardware and soft- 
ware is to achieve functional redundancy. If there were to be a major 
failure in one area, say computers, then the functionally redundant 
hardware-implemented protection systems could still function independ- 
ent of the computer. 

Software functions can be partitioned to the EPS, Space Station system, 
or the ground. 

Fault detection, safing, and correction do not all have to be parti- 
tioned to the same area. Similarly, the functions of sensing, acting, 
and analyzing can be partitioned to different areas. The more likely 
scenario is that the sense and act functions (signal transducers and 
control effectors) will be in the EPS. The analysis and decisionmaking 
authority can be shared among the EPS, system, and ground. 

For partitioning to the EPS, the following should be true: 

1) The fault should be defined in the EPS; 

2) The correction resources should be in the EPS; 

3) No impacts outside the EPS. 

Even though a particular function is partitioned to the EPS, there can 
be enables or concurrence to proceed from either the Space Station Sys- 
tem level, the flight crew and the ground, or combinations of the 
levels. 

For partitioning to the Space Station System, one or more of the fol- 
lowing should be true: 

1) The fault is not defined in the EPS; 
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2) The correction resources are not in the EPS; 

3) There are impacts outside the EPS. 

Again, even though a function is partitioned to the Space Station sys- 
tem level, there can be enables or concurrences to proceed from the 
flight crew and/or ground. 


The following are some criteria for partitioning functions to the 
ground. Functions that can not or should not be automated on board 
should be partitioned to the ground. Faults having an expected occur- 
rence so low as to not be cost effective in automating their handling 
onboard could be partitioned to the ground. 


Activities so complex or beyond the state of the art for automation on- 
board the Space Station are candidates £ 01 * partitioning to the ground. 

6.1.2 Partitioning Other Automation Tasks 

Any functional operation can be separated into three activities: 


1) Sense: 


Acquire data or information needed; 


2) Analyze: - Process raw data to generate desired parameters 

(e.g., power, energy, etc); 

Analyze data to determine a problem or failure; 

If a problem or failure is indicated, determine a 
solution approach; 

Direct the electronics that actually implement the 
task, issue command. 

3) Act: Do the function requested, implement the command re- 

ceived (e.g., activation of a switch). 
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Sensing involves signal transducers, multiplexing, and signal conver- 
sion. Analyzing involves concerting raw ADC outputs to engineering 
units, analysis of the data to determine the fault, no fault status, 
determination of a solution if a failure is indicated, and the issuing 
of corrective-action commands. Acting involves the effectors such as 
relays or digltal-to-analog converters. The acting activity implements 
the command received from the analysis function. 

For the non-fault-handing functions, the three activities of sense, 
analyze, and act will be partitioned among the EPS, system, and 
ground. Rationale for the partitioning will be given. 

6.2 RESULTS OF FAULT-HANDLING AUTOMATION PARTITIONING 

The results of partitioning the fault-handling automation between the 
EPS, space station system, and the ground is shown in Tables 6.2-1 thru 
6.2-15. 

The partitioning of automation functions in this task was performed 
without reference to the level of autonomy of the Space Station. The 
object was to identify the characteristics of the fault and to perform 
the partitioning based on identified fault characteristics. 

Faults that require a fast detect-and-safe time (milliseconds) and ded- 
icated hardware (not computers) such as a dc/dc converter output over 
voltage, must of necessity have the machine-autonomy automation placed 
in the EPS. The fast reaction time makes it impossible to perform the 
automation of the space station system or ground level. 
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Table 6. 2-1 Solar Array Failure Types and Partitioning of Correction Tasks 



Analysis 

Task Partitioning 



Correction Approach 

Fault 

Definition 

Level 

Correction 

Resources 

External 

lapacts 




Fault 

Criticality 

Hardware 

Software 

EPS 

Systea 

Ground 

Loss of Power 
froa Part of 
Array; Exces- 
sive Power, 
Degradation 

Minutes 

No 

Yes 

EPS 

EPS 

Yes 

(1),(2),(3), 
(4), (5) 

(10) ,(11) 

(10), (12) 

Failure of 
Array to 
Track Sun 

Minutes 

No 

Yes 

EPS 

Syeten/ACS 

Yes 

(1),(2),(3), 
(4). (5) 

(7), (10), 
(11) 

(10), (12) 

Arcing on 
Array froa 
Plasma Inter- 
action or 
Corona 

Minutes 

No 

Possible 

EPS 

Systen 

No 

(1),(2),(3), 
(4). (5) 


(10). (12) 


Notes! 

(X) Sense Fault 

(2) Effect Load Control As Required 

(3) Monitor State of Health 

(4) Calculate Total Bus Power 
Capability 


(5) Calculate Energy Capability 

(6) Isolate Fault 

(7) Correct Fault 

(8) Isolate and Correct Fault 

(9) Enable Autosatlc Fault 
Correction by EPS 


(10) Generate New Load Sequence Coaaands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Deaand Analysis 
& Enable Power Manageaent 


Table 6.2-2 

NiCd and Fill 2 Battery Failure Types and Partitioning of Correction Tasks 



Analysis 

Task Partitioning 


Tlae 

Criticality 

Approach 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Impacts 




Fault 

•i^riiware 

Software 

EPS 

Systea 

Ground 

Low Discharge 
Voltage or 
Low Capacity 

Minutes to 
Hours 

No 

Yea 

EPS, Cell 
or Module 

EPS 

Yes 

(1),(2),(3), 
(4), (5) 

(10), (10 

(12), (13) 

Cell or 
Battery Open 
or Short 

Seconds 
to Hours 

No 

Yes 

EPS 

EPS 

No 

(!),(2),(3), 

(4),(5),(6) 

(10), (10 

(12), (13) 

Cell Voltage 
Reversal 
during 
Discharge 

Seconds 

No 

Yes 

EPS 

EPS 

Yes 

(1),(2),(3) 


(12) 

Excessive 
Cell Pressure 
during Charge 

Seconds 

No 

Yes 

EPS 

EPS 

No 

(1) ,(2),(3), 
(8) 


(12) 

Battery Temp 
High or Low 

Seconds 
to Minutes 

No 

Yes 

EPS 

EPS 

Yes 

(0,(2), (3), 
(4), (5), (8) 

(10), (10 

(12) 

High Charge 
Voltage 

Seconds 
to Minutes 

No 

Yes 

EPS 

EPS 

No 

(0,(2), (3), 
(4), (5), (8) 


(12) 

Notes: 










(1) Sense Fault 

(2) Effect Load Control As Required 

(3) Monitor State of Health 

(4) Calculate Total Bus Power 
Capability 

(5) Calculate Energy Capability 

(6) Isolate Fault 

(7) Correct Fault 

(8) Isolate and Correct Fault 

(9) Enable Automatic Fault 
Correction by EPS 

(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Demand Analysis 
& Enable Power Management 
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Table 6.2-3 

Regenerative Fuel Cell Failure Types and Partitioning of Correction Tasks 


Analysis Task Partitioning 



' 

Correction Approach 

Fault 






Fault 

Criticality 

Hardware 

Software 

Level 

Resources 

Impacts 

EPS 

System 

Ground 

Fuel Cell 

Module 

Failure 

- Low Voltage 

- liign 
Internal 
Resistance 

- Open or 
Short 

- Cell 
Voltage 
P.ev;rrBal 

- Pump 

- Reactant 
Leakage 

Seconds 

• 

No 

Yes 

EPS 

EPS 

Yes 

(1),(2),(3), 
(4), (5) 

(10), (11) 

(10) ,(12), 
(13) 

Electrolysis 

Module 

Failure 

- Pump 

- Cell Open 
or Short 

Minutes 

No 

Yes 

EPS 

EPS 

Yes 

(3) , (2), (3), 

(4) , (5) 

(10), (11) 

• 

(10), (12), 
(13) 

Reactant 

Subsystem 

- Leakage 

- Pump 

Minutes 

No 

Yes 

System 

System 

Yes 

(1) ,(2),l3), 
(4), (5) 

(10), (11) 

(10) 

Electrolysis 

Regulator 

Minutes 

No 

Yes 

EPS 



EPS 

No 

(1) , (2),(3), 
(4), (5), (8) 

<10), (11) 


(13) 


Notes: 


(1) Sense Fault (5) Calculate Energy Capability (10) Generate New Load Sequence Commands 

(2) Effect Load Control A a Required (6) Isolate Fault (11) Store Failure Diagnostic Data 

(3) Monitor State of Health (7) Correct Fault (12) Do Trend and/or Failure Analysis 

(4) Calculate Total Bus Power (8) Isolate and Correct Fault (13) Bus Power Capability and Demand Analysis 

Capability (9) Enable Automatic Fault & Enable Power Management 

Correction by EPS 


Table 6. 2-4 

Solar Array Voltage Controller Failure Types and Partitioning 
of Correction Tasks 



Analysis 

Task Partitioning 

Fault 

Time 

Criticality 

Correction Approach 
Hardware Software 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Impacts 

EPS 

System 

Ground 

Partial Loss 
of Power or 
Control 

Minutes 
to Hours 

No 

Yes 

EPS 

EPS 

No 

Cl), (2), (3), 
(4) 

(10), (11) 

(10), (12), 
(13) 

Full Shunt 
Fall Short 
(No Power) 

Minutes 

No 

Yes 

EPS 

EPS 

No, If 
Cor- 
rected, 
Yes, If 
Not Cor- 
rected 

(1),(2),(3), 

(4) 

(10), (11) 

(10), (12) 
(13) 


Notes: 


(.1) Sense Fault (5) Calculate Energy Capability (10) Generate New Load Sequence Commands 

(2) Effect Load Control As Required (6) Isolate Fault (11) Store Failure Diagnostic Data 

(3) Monitor State of Health (7) Correct Fault (12) Do Trend and/or Failure Analysis 

(4) Calculate Total Bus Power (8) Isolate and Correct Fault (13) Bus Power Capability and Demand Analysis 

Capability (9) Enable Automatic Fault 4 Enable Power Management 

Correction by EPS 
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Table 6.2-5 

P 1 2 3 (da-da Converter) Failure Types and Partitioning of Correction Tasks 


Analysis 


Task Partitioning 



Time 

Criticality 

Correction Approach 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Impacts 




Fault 

Hardware 

Software 

EPS 

System 

Ground 

Output Over 
Voltage 

Mllll- 

aecond 

Yes 

No 

EPS 

EPS 

No 

(1),(2),(3) 

(11) 

(12) 

Output Under 
Voltage 

Milli- 
seconds to 
Seconds 

No 

Yes 

EPS 

EPS 

No 

(1) ,(2) ,(3) , 
(A) 

(1) ,(8) , 
(10), (11) 

(12), (13) 

Efficiency 

Low 

Minutes 
to Hours 

No 

Yes 

EPS 

EPS 

No 

(1) ,(2) ,(3) 

(11) 

(12), (13) 

Out of Limit: 
V(In) , Kin) 

Temp 

Seconds to 
Minutes 

No 

Yes 

EPS 

EPS 

No 

(1) ,(2) , (3), 
(8) 

(11) 

(12), (13) 

Thermal 

Control 

Failure 

Minutes 

No 

Yes 

System 

System 

Yes 

(1),(2) 

(8), (10) 

(13) 


(1) Sense Fault 

(2) Effect Load Control As Required 

(3) Monitor State of Health 
(A) Calculate Total Bus Power 

Capability 


(3) Calculate Energy Capability 

(6) Isolate Fault 

(7) Correct Fault 

(6; Isolate and Correct Fault 
(9) Enable Automatic Fault 
Correction by KPS 


(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Demand Analysis 
& Enable Power Management 


Table 6.2-6 

Transformer Coupled Converter Failure Types and 


Analysis 

r | Correction Approach] Fault ! 


Fault 

V(Out) High 


Time 

Criticality 

Fraction of 
Sec to Secs 


Probably 
Not. 
Slower 
Failure 
Than Non 
Trans- 
former 
Coupled 
Con- 
verter 


Software 

Yes 


No Output 


Efficiency 

Degraded 


Seconds to 
Minutes 

Hours to 
Months 


Partitioning of Correction Tasks 


Task Partitioning 



Fault 

Definition Correction 
Level Resources 


EPS 

(1),(2),(3) 


External 

Impacts 

uo,~I£ 
There Is 
Block 
Redun- 
dancy 
for Cor- 
rection 


Yen, If (1),(2),(3), (10), (11) 

No Redun- (A) 

dancy 

No (1),(2),(3), (11) 

(A) 


Ground 
(12), (13) 


( 10 ), ( 12 ), 

(13) 


(12), (13) 


(1) Sense Fault 

(2) Effect Load Control As Required 

(3) Monitor State of Health 
(A) Calculate Total Bus Power 

Capability 


(5) Calculate Energy Capability 
(b) Isolate Fault 

(7) Correct Fault 

(8) Isolate and Correct Fault 

(9) Enable Automatic Fault 
Correction by EPS 


(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/ey Failure Analysis 

(13) Bus Power Capability and Demand Analysis 
& Enable Power Management 
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Table 6.2-? 

Series Resonant Inverter Failure Types and Partitioning of Correction Tasks 



Analysis 

Task Partitioning 


Time 

Criticality 

Correction Approach 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Impacts 




Fault 

Hardware 

Software 

EPS 

System 

Ground 

Resonant 
Capacitor 
Over Voltage 

Milli- 

seconds 

Yes 

No 

EPS 

EPS 

No 

(1) » (2) , (3) 

(11) 

(12), (13) 

Output Over 
Voltage 

Milli- 

seconds 

Yes 

Back Up 
to Hard- 
ware 

EPS 

EPS 

No 

(1) ,(2) , (3) 

(10), (11) 

(12), (13) 

Input Fuse 
Open 

Seconds 

No 

Yes 

EPS 

EPS 

No 

(1) , (2) , (3) 

(11) 


No Output 

Seconds to 
Minutes 

No 

Yes 

EPS 

EPS 

Yes, If 
No Redun- 
dancy 

(1),(2),(3), 

<10), (11) 

(12), (13) 


Notes: 


(1) Sense Fault 

(2) Elfect Load Control As Required 

(3) Monitor State of Health 

(4) Calculate Total Bus Power 
Capability 


(5) Calculate Energy Capability 

(6) Isolate Fault 

(7) Correct Fault 

(6) Isolate and Correct Fault 
(9) Enable Automatic Fault 
Correction by EPS 


(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Demand Analysis 
& Enable Power Management 


Table 6.2-8 

Magnetic Latching Relay 3 RPC 3 and Motor Driven Switch Failure Types and 
Partitioning of Correction Tasks 



Analysis 

Task Partitioning 


Time 

Criticality 

Correction Approach 

Fault 

Correction 

Resources 

External 

Impacts 




Fault 

Hardware 

Software 

Level 

EPS 

System 

Ground 

Fail to 

Transfer, 

Spurious 

Transfer 

(Command 

Verification) 

Seconds to 
Minutes 

No 

.■ 

Yes 

EPS 

EPS 

Yes 

(1) , (2) ,(3) 

(ID 

(12), (13) 

Output 
Oscillaces 
■ — 

Minutes to 
Hours 

No 

' 

... ■ • 

Yes 

EPS 

EPS 

Yes 

(1),(2),(3) 

(ID 

(12), (13) 


NoteB! 


(1) Sense Fault 

(2) Effect Load Control As Required 

(3) Monitor State of Health 

(4) Calculate Total Bub Power 
Capability 


(5) Calculate Energy Capability 

(6) Isolate Fault 

(7) Correct Fault 

(8) Isolate and Correct Fault 

(9) Enable Automatic Fault 
Correction by EPS 


(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Demand Analysis 
4 Enable Power Management 
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Table 6.2-9 

Relay Configuration Failure Types and Partitioning of Correction Tasks 




Analysis 

TaBk Partitioning 


Time 

Criticality 

Correction Approach 

Fault 

Correction 

Resources 

External 

Impacts 




Fault 

Hardware 

Software 

Level 

EPS 

System 

Ground 

Lose 

Redundancy, 

Operate 

Normal 

No 

No 

Yes 

• 

EPS 

EPS 

No 

(1),(2),(3) 

(10), (11) 

(12), (13) 

Single Relay 
Fail Open, 2 
Series Relays, 
One Fall Open 
(Load Can Not 
Be Connected) 

No 

No 

YeB 

EPS 

System 

Yes 

(1) ,(2),(3) 

(10), (11) 

(12), (13) 

Single Relay 
Fail Closed, 

No 

No 

Yes 

EPS 

System 

Yes 

(1),(2),(3) 

CIO), (11) 

(12), (13) 

2 Parallel 
Relays One 
Fall Closed 
(Load Can Not 
Be Removed) 











Notes: 

(X) Sense Fault 

(2) Effect Load Control AS Required 

(3) Monitor State of Health 

(4) Calculate Total Bus Power 
Capability 


(5) Calculate Energy Capability 

(6) Isolate Fault 
(?) Correct Fault 

(8) Isolate and Correct Fault 

(9) Enable Automatic Fault 
Correction by EES 


(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Eower Capability and Demand Analysis 
& Enable Power Management 


Table 6.2-10 

Remote Power Controller Failure Types and Partitioning of Correction Tasks 



Analysis 

Task Partitioning 


Time 

Criticality 

Correction Approach 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Impacts 




Fault 

Hardware 

Software 

EPS 

System 

Ground 

Fail to 
Limit di/dt 

Milli- 

seconds 

No 

Analysis 

by 

Software 

EPS 

System 

Yes 

(1) ,(2),(3) 

(10), (11) 

(12). (13) 

RPC 3-sec 
Timer Fails; 
RPC Fails to 
Clear Fault 
Current 

Seconds 

No 

Yes 

EPS 

EPS 

Yes 

(1) ,(2),(3) 

(10), (11) 

(12), (13) 

Thermal 
Control 
Failure 
Causes RPC 
Cold Plate 
Temp to 
Approach 
Limit 



Seconds to 
Minutes 

No 

Yes 

System 

System 

Yes 

(1) ,(2),(3) 

(10), (11) 

(12), (13) 


Notes: 


(1) Sense Fault 

(2) Effect Load Control Ab Required 

(3) Monitor State of Health 

(4) Calculate Total Bus Power 
Capability 


(5) Calculate Energy Capability 

(6) Isolate Fault 

(7) Correct Fault 

(6) Isolate and Correct Fault 
(9) Enable Automatic Fault 
Correction by EPS 


(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Demand Analysis 
4 Enable Power Management 
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Table 6.2-11 

Fuse Configuration Failure Types and Partitioning of Correction Tasks 



Analysis 

Task Partitioning 



Correction Approach 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Impacts 




Fault 

Criticality 

Hardware 

Software 

EPS 

System 

Ground 

Single Fuse 
Open; Series 
Fuses One 
Open; No 
Power Can 
Be Applied 
to a Load 

No 

No 

Ves 

Fuse 

System 

Yes 

(1) , (2) , (3) 

(10), (11) 

(12), (13) 

Two Parallel 
Fuses, One 
Open 

No 

No 

Yes 

Fuse 

System 

No 

(1) ,(2) ,(3) 

(10), (11) 

(12), (13) 


Notes: 


(1) Sense Fault (5) Calculate Energy Capability 

(2) Effect Load Control As Required (6) Isolate Fault 

(3) Monitor State of Health (7) Correct Fault 

(4) Calculate Total Bus Power (8) Isolate and Correct Fault 

Capability (9) Enable Automatic Fault 

Correction by EPS 


(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Demand Analysis 
& Enable Power Management 


Table 6.2-12 Cabling Failure Types and Partitioning of Correction Tasks 



Analysis 

Task Partitioning 


Time 

Criticality 

Correction Approach 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Impacts 




Fault 

Hardware 

Software 

EPS 

System 

Ground 

High Temp in 
Cable 

Minutes 

No 

Yes 

EPS 

Sys tern 

Yes 

(1) , (2) , (3) 

(10), (11) 

(12) 

Insulation 
Shorts Wire 
to Wire or 
to Return 

Seconds to 
Minutes 

No 

Yes 

EPS 

EPS 

Yes 

(1) ,(2),(3) 

(10), (11) 

(12) 

Modular 
Buildup 
Activity 
Impacts 
Cables 
(Overloads 
or Over- 
temps) 

Minutes 

No 

. 

Yes 

EPS 

System 

Yes 

(1) ,(2) , (3) 

(10), (11) 

(12), (13) 


Notes: 


(1) Sense Fault (5) Calculate Energy Capability 

(2) Effect Load Control As Required (6) Isolate Fault 

(3) Monitor State of Health (7) Correct Fault 

(4) Calculate Total Bus Power (8) Isolate and Correct Fault 

Capability (9) Enable Automatic Fault 

Correction by EPS 


(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Demand Analysis 
4 Enable Power Management 
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Table 6. 2-13 Gimbal Failure Types and Partitioning of Correction Tasks 



Analysis 

Task Partitioning 


Tine 

Criticality 

Correction Approach 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Impacts 




Fault 

Hardware 

Software 

EPS 

Systea 

Ground 

Slip Ring 
Noise 

Hours 

No 

Yes 

EPS 

Systea 

No 

(1),(2),(3) 


(12) 

Slip Ring 
Short, Roll 
Rings Open, 
Twist Flex 
Open, Rotary 
Transforaer 
Open 

Minutes 

No 

Yes 

EPS 

EPS, If 
Block 
Redundant; 
Systea, If 
No Block 
Redundancy 

Yes 

(1),(2),(3) 

(11) 

(12). (13) 


Notec 


(1) Seme Fault (5) Calculate Energy Capability 

(2) Effect Load Control As Required (6) Isolate Fault 

(3) Monitor State of Health (7) Correct Fault 

(4) Calculate Total Bus Power (8) Isolate and Correct Fault 

Capability (9) Enable Automatic Fault 

Correction by EPS 


(10) Generate New Load Sequence Coaaands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Deeand Analysis 
& Enable Power Manageaent 


Table 6.2-14 Sensor Failure Types and Partitioning of Correction Tasks 



Analysis 

Task Partitioning 


Tine 

Criticality 

Correction Approach 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Inpacts 




Fault 

Hardware 

Software 

EPS 

System 

Ground 

Catastrophic 

Failure, 

Drift, 

Antialiasing 
Filter or 
ADC Ground 
Open 

Minutes 

No 

Yes 

EPS 

EPS 

No 

(1) ,(2),(3) 

(11) 

(12), (13) 

Out of 
Calibration 

Days 

No 

Yes 

EPS 

System 

Yes 

— 


(1) 


Notea; 

(1) Sense Fault (5) 

(2) Effect Load Control As Required (6) 

(3) Monitor State of Health (7) 

(4) Calculate Total Bus Power (6) 

Capability (9) 


Calculate Energy Capability 
Isolate Fault 
Correct Fault 
Isolate and Correct Fault 
Enable Automatic Fault 
Correction by EPS 


(10) Generate New Load Sequence Cooaands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Deaand Analysis 
& Enable Power Manageaent 
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Table 6.2-15 

Auxiliary Power Unit Failure Types and Partitioning of Correction Tasks 



Analysis 

Task Partitioning 


Time 

Criticality 

| Correction Approach | 

Fault 

Definition 

Level 

Correction 

Resources 

External 

Impacts 

1 



Fault 

Hardware 

Software 

EPS 

System 

Ground 

APU Failure; 
Reactant 
Supply 
Failure 

Minutes 
to Days 

No 

Yes 

APU 

EPS 

Yes 

(l),(2),(3) 

(10), (11) 

(12), (13) 

Emergency 
Shutdown 
System False 
Shutdown 
Alarm 

Yes 

Yes 

Yes 

EPS 

EPS 

Yes 

(1),C2),(3) 

■1 

■ • i 

(11) 

(12), (13) 


Notes: 


(1) Sense Fault (5) Calculate Energy Capability 

C2) Effect Load Control As Required (6) Isolate Fault 

(3) Monitor State of Health (7) Correct Fault 

(4) Calculate Total Bus Power (8) Isolate and Correct Fault 

Capability (9) Enable Automatic Fault 

Correction by EPS 


(10) Generate New Load Sequence Commands 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Demand Analysis 
4 Enable Power Management 






















It was found that many of the ^ell-understood faults that had correc- 
tion times low enough to be compatible with software could technically 
be done either in the EPS, the Space Station System, or the ground. 

The discriminators used to pick the best area were: 

1) Fault Definition Level; 

2) Correction Resources Level; 

3) External Impacts. 

If the fault could be defined and corrected in the EPS without external 
impact, then it was recommended that the automation should be done in 
the EPS. If the fault could not be defined or corrected in the EPS or 
there were external impacts, then it was generally found there would be 
reason to require some analysis or executive authority at the Space 
Station System level. The sense and act functions would be at the EPS, 
but there would be some analysis at the system level. This executive 
authority could be at the Space Station System level or on the ground. 
It was generally not partitioned to the ground because of the following 
reasons: 

1) Not minimum ground involvement; 

2) Not minimum communications overhead; 

3) Lose communications, lose function. 

There were some failures that were classed as not practical to automate 
onboard early in the program. They included solar-array pointing prob- 
lems due to oscillations in a large flexible structure and plasma in- 
teraction. The above faults are recommended to be done on the ground. 
It Is expected that in the initial stages of the space station program, 
the above faults would not be automated on the ground, but would be 
handled by human experts. As the program matures, these problems could 
become candidates to be automated by expert systems software. 
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6.3 RESULTS OF PARTITIONING OF OTHER AUTOMATION TASKS 


A summary of the partitioning of the non-fault-handling automation can- 
didates is shown in Table 6.3-1. A detailed discussion of several po- 
tential automation activities is presented in the following paragraphs. 

6.3.1 Battery Reconditioning 

Battery reconditioning basically involves deep discharging and recharg- 
ing at a low current. Reconditioning is not necessary more than once 
every six months. The autonomy-level requirements for the Space Sta- 
tion will be a major driver in the partitioning of this function. For 
example, if the requirements were for 7-day operation without ground 
intervention, then the decision could be placed on the ground. If the 
requirement were for 8-month operation without ground intervention, 
then the decisionmaking would have to be placed onboard the Space 
Station. 

EPS Partitioning - If the authority to make the decision to recondition 
the batteries were placed in the EPS, it is likely the decision to per- 
mit reconditioning is still required by the system computer or ground. 

Space Station System Partitioning - It is functionally acceptable for 
the decisionmaking to recondition a battery to be placed at the Space 
Station System level. Because this is an EPS decision, it could logi- 
cally be assigned to the EPS. The decision as to an exact time to per- 
form the battery reconditioning appears to reside logically at the 
space station system level because there may be system-level impact in 
taking a battery offline for reconditioning. 
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Table 6.5-1 

Other Subsystems and Activities That Can Impact EPS and 
Partitioning of Correction Tasks 
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Analysis 


Task Partitioning 




Correction Approach 

Fault 







Time 



Definition 

Correction 








LXCtERU 


• 


Fault 

Criticality 

Hardware 

Software 

Level 

Resources 

Impacts 

EPS 

System 

Ground 

Flealble 

Minutes to 

No 

Yes 

System 

System 

Yes 

— 

(l),(b) 

(12) 

Structure 

Osclllatlona; 

Hours 









Degraded 
Solar Array 
Pointing 

Command and 

Minutes 

No 

Yes 

System 

System 

Yes 


(1),(8) 

(12) 

Data Subsys- 
tem Degraded 
Data Rates 










Command and 
Data Subsys- 
tem, Lpsa of 
CPU Power 

None 

No 

Yes 

System 

System 

Yes 

_ 

(1),(8) 

(12) 

EPS, Crew, 
and Ground 

None 

No 

Yes 

N/A 

N/A 

N/A 


(1) ,(8) 

;■ 

(12) 

Command 

Interface 










Thermal 

No, Minutes 

No 

Yes 

System 

System 

Yes 




Control 

to Hours 









Degradation 

Because of 









or Failure 

Thermal 

Masses 









User Load 

Shorts, Yes 

Shorts, 

For 

EPS 

EPS 

Yea 




Short or 

Fractions 

Yes; 








Overload 

of a 

OVer- 









Second. 

loads , 









Overloads 
No, Seconds 

No 








Notes: 



(1) Sense Fault 

(2) Effect Load Control As Required 

(3) Monitor State of Health 

(4) Calculate Total Bus Power 
Capability 


(5) Calculate Energy Capability 

(6) Isolate Fault 

(7) Correct Fault 

(8) Isolate and Correct Fault 

(9) Enable Automatic Fault 
Correction by EPS 


ands 


(10) Generate New Load Sequence Coi 

(11) Store Failure Diagnostic Data 

(12) Do Trend and/or Failure Analysis 

(13) Bus Power Capability and Deaand Analysis 
A Enable Power Management 


Ground Partitioning - Due to the slow response time for this decision, 
It Is completely acceptable for this decision to be made on the 
ground. The range of authority that can be assigned to the ground 
ranges from none to the authority to decide when to perform the recon- 
ditioning. For the early Space Station, ground should decide the time 
for battery reconditioning. 

6.3.2 Battery Charge/Discharge Control 

Battery charge/discharge control is a routine function that is per- 
formed continuously, 24 hours a day. It is a function that is logical- 
ly an EPS function. It Is a function that is technically acceptable to 
perform either at the Space Station System level or on the ground. 
Performing the routine function on the ground would not be consistent 
with the goal of reducing ground involvement. 

6.3.3 Trend Analysis 

The principal driver in considering onboard trend analysis is the cost 
of nonvolatile, mass storage. As an example, 1000 eight-bit words sam- 
pled every five minutes will require 104 megabytes per year. Once the 
decision is made to do onboard trend analysis, there will be a require- 
ment for onboard data-base management, retrieval software, and graphics 
software for display. 

Another decision is how to use the trend data onboard. If use of the 
trend data is to be automated, then software Is required. If the trend 
data are to be used only manually by the flight crew, there will be a 
training Impact to assure that the crew is at a certified level of com- 
petence to interpret and use the data. Another possibility is auto- 
mated analysis of the trend data but concurrence by the crew or ground 
before action is taken by the onboard software. 
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6.3.4 Caution & Warning 


It la assumed that a computer will determine the caution, warning, and 
shutdown status and make It available to the astronauts and ground 
personnel. 

The critical Issue is the autonomy level of interpreting the computer- 
generated status, planning corrective action, and Implementing the cor- 
rective action. If there Is no autonomy, this would mean that a man 
(astronaut or ground) would be required to Interpret the status, plan 
the corrective action, and input corrective-action sequences to the 
Space Station. 

The next higher level of autonomy would have a computer interpret the 
status, and plan corrective action. The computer would then advise the 
man (astronaut or ground) of its analysis and corrective-faction plan. 
The computet would not take any corrective action. The man would be 
reqpired to input corrective-action sequence® to the space station to 
implement correction. Different degrees of autonomy can be described 
by the language the astronaut or ground controller uses to command the 
space station. The least autonomy would occur if a low-level language 
similar to assembly language were used. The next higher level would 
occur if a high-level language were used. 

Partition to EPS 

Detection can be performed at the EPS level because the measurements 
are available at the EPS level. To place the analysis and corrective- 
action planning and implementation In the EPS would require sophisti- 
cated computer programs. There would be an increase in front-end pro- 
gram costs and a reduction in downstream operating costs. There would 
be an increase in software development and validation costs. There 
would be an impact on computer speed, random-access memory, and nonvol- 
atile mass memory. 
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Partition to Space Station Syste m 


The detection function could be done at the system level, but it would 
result In a higher communications overhead then performing detection at 
the EPS level. 

If caution and warning is put at the space station system level, there 
are several options as to how to do it. The options are: 

1) Astronauts interpret outputs and initiate corrective action; 

2) Computer analyzes outputs, advises astronaut, astronauts initiate 
corrective action; 

3) Computer analyzes outputs, initiates corrective action with astro- 
nauts' concurrence or initiate corrective action without astronaut 
concurrence, and then inform the astronaut of the results of the 
corrective action. 

An advantage of completely autonomous operation is that the Space Sta- 
tion can be operated unmanned. 

Partition of the Ground - The detection function could be done on the 
ground, but it would have a higher communications overhead than per- 
forming detection onboard. The different levels of ground autonomy are 
the same as for the onboard system level, with astronaut replaced by 
ground controller. A disadvantage of performing any of these functions 
on the ground is that if communications are lost, the function Is 
lost. An advantage is that the Space Station Can be operated unmanned. 

6.3.5 Space Station Modular Buildup 

The growth philosophy entails a complex operation that is not under- 
stood in detail at present. With respect to partitioning, the follow- 
ing scenario is postulated for the migration of authority and autonomy 
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over the life of the program. In the first stages Of the program , the 
onboard systems can do automated checkout, but the authority to proceed 

! j • ’ ; " 

Is received from the ground. The ground would be responsible for the 
decision to proceed during the validation and early program stages. As 
the program matures, it is expected the authority to proceed could mi- 
grate from the ground=operations crew to ground automated systems, then 
to the onboard crew, and ultimately, to the onboard automated systems. 

It is expected that detail checkout of the EPS assemblies will be par- 
titioned to the EPS even on the initial station, but responsibility for 
verifying the checkout and authority to proceed to the next step will 
migrate from the ground crew, to the flight crew, and ultimately, to 
the onboard automated system. 
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TASK b - METHOD FOR AUTOMATION TASK ASSESSMENT AND IMPLEMENTATION 


OBJECTIVE AND SCOPE 

The objective of this task is to develop a system to use all of the in- 
formation resulting from the first four tasks to provide a logical or- 
dering of automation activities and derived benefits. The system 
should serve as a logic flow for determining (I) what activities should 
be considered for automation, (2) what is required to implement the 
automation, (3) how the options compare, (4) availability of technol- 
ogy, and (5) impact on system performance. 

SUMMARY 

A study flow plan for automation assessment is shown in Figure 7-1. 

The first step is to define a specific study area such as how to auto- 
mate the correction of overtemperature faults in batteries. Three bas- 
ic inputs required for the study are: 

1) System-level criteria, 

a) Space station autonomy/automction requirements, including au- 
tonomy level, 

b) Reliability, maintenance and safety requirements, 

2) Subsystem-level criteria, 

a) Functional requirements and description, 

b) Subsystem interfaces, 

c) Component functional requirements, 
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3) Mission operations. 


ORIGINAL PAGE IS 
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a) Man-machine interface, 

b) Flight-controller functions Ci.e., ground crew), 


c) Astronaut/subsystem operational criteria and constraints. 


Define 

Study 

Areas 


S/C Autonomy 
Requirements, 
or Constraints 
and Assumptions 


Task 1 
Output 


Task 2 
Output 



Study 

Outputs 


Autonomy 
Level of 
S/C 


Figure 7-1 Study Flow Plan for Automation Assessment 


The autonomy level is used to prioritize automation candidates and aid 
in partitioning automation functions between the ground and the space 
station. Reliability requirements are used to categorize faults and to 
aid in selecting a fault-correction option. Mission-operations criter- 
ia are used to define specific automation functions needed for orbital 
operations . 

Factors to be analyzed and defined in a detailed assessment of the 
automation function are: 

1) Impact; 

2) Fault category; 

3) Fault correction options; 

4) Benefits; 

5) Time-criticality; 

6) Basic implementation, hardware or software. 

Basic technical elements in NASA's program development usually consist 
of Phase A (planning, conceptual requirements definition, and design), 
Phase B (preliminary requirements definition and design), and Phases C 
and D (detailed design, fabrication, and integration; launch opera- 
tions; mission operations). It is assumed that Space Station-level 
autonomy/automation and reliability requirements will be addressed in 
each of these program phases, and their details will increase the pro- 
gram phases' progress. The method outlined here depends to a large ex- 
tent on the system-level requirements available. Therefore, the extent 
to which automation assessment can be done at the subsystem level is a 
function of level of details available at the station level. It is 
logical, then, to assume that the designers, especially during Phases 
B, C, and D, would have access to top-level specifications and design- 
criteria documents covering not only autonomy/automation requirements, 
but also other high-level functional criteria. 
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Other inputs to the automation-assessment study are the outputs of 
Tasks 1 to 4. The outputs of the automation-assessment study for one 
specified area are the following: 

1) Description of study area; 

2) List of faults and activities from Task 2, 

a) Impacts on subsystem and system (i.e., Space Station), 

b) List of fault-correction options, 

3) Automation Candidates trom Task 3, 

a) Priority list of automation candidates based on spacecraft 
autonomy level, 

b) Benefits list, 

4) Partitioning of automation candidates between ground and space 
station based on station autonomy level: 

a) Partition onboard automation between EPS and system based on 
output of Task 4, 

b) Time-criticality of function, 

c) Basic implementation, hardware or software. 

7.1 GENERATION METHOD 

7.1.1 Step 1 - Define Study Area 

The first step Is to define the study area. The study area should be 
defined in terms of the descriptions used in Tasks 1 to 4. Examples of 
specific study areas are: 
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1) Cable over temperature; 

2) Power converter failures; 

3) Battery charge/discharge control; 

4) Battery operations management. 
7.1.2 Step 2 ~ Define Inputs 


The basic autonomy/automation requirements identified in Space Station 
Definition Book 5 (Ref 9) are listed in Table 7. 1.2-1. 

Table 7. 1.2-1 

Summary List of Spaae Station Autonomy / Automation Requirements 


- Implement Autonomy and Automation to Ensure Cost-Effective Opera- 
tion without Compromising Mission Success or Crew Safety 

- Space Station Shall Operate Independent from Ground Support for 
TBD Time 

- Near-Term Activity Planning Shall Be Required Onboard the Manned 
Space Station 

- Consumables Management Required on Board under Supervisory Control 
of Flight Crew 

- Eliminate, As Far As Practicable, the Need for Real-Time Monitor- 
ing of Control of EPS by Flight or Ground Crew. Maximize Machine 
Autonomy to Minimize Crew Involvement in Fault Handling 

- Autonomous Handling of Low Faults. High-Level Unsafe Conditions 
Shall Autonomously Initiate Safe State and Hold for Human 
Involvement 

- Machine Autonomy Shall Be Provided for: 

- Periodic Maintenance- — Battery Conditioning 

- Resource Management- — Power Management, Battery Energy Account- 
ing and Control 

- Load Sequences Shall Be Autonomously Modifiable in Flight 

- Load Sequences Shall Be Autonomously Modifiable in Flight 
-Fault-Detection Limits Shall Be Reprogrammable 

- Machine-Autonomous Functions Shall Have Individual Enable/ Inhibit 
Control 

- Fault-Handling Responses Shall Be Reprogrammable in Flight 

- General Approach Is to Place Flight Crew in a Supervisory Capacity 
and to Program Computers and Machines to Do Most of the Work 
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The primary driver for the partitioning of automation function between 
ground and the spacecraft and for the priority ranking of automation 
functions is the level of autonomy of the spacecraft. For this study, 
we have used the following definitions of autonomy based on the JPL 
study in the Air Force’s Autonomous Spacecraft Project (Ref 10). 

Autonomy - The ability of a spacecraft to meet mission-performance 
requirement without human intervention or ground sup- 
port for a period of time. 

Autonomy - Level of spacecraft autonomy; increasing level signifies 
Level an increased number of automation functions. 

The level of autonomy from Reference 10 is reproduced in Appendix C. 

The following observations were made about the ten levels of autonomy 
defined by JPL. For level 4 and under, ground intervention is required 
for fault correction. For levels 5 to 10, the spacecraft is autono- 
mously fault tolerant. As the autonomy level of the spacecraft in- 
creases, more capability is placed aboard the spacecraft and less de- 
pendence on the ground as the level of autonomy of the spacecraft in- 
creases. Figure 7. 1.2-1 shows automation functions plotted against 
level of autonomy for levels 4 thru 10. The figure illustrates the 
migration of automation functions from the ground to the spacecraft and 
the decreased dependence on the ground as the level of autonomy of the 
spacecraft increases. 

System safety, reliability, and maintainability requirements will be 
significant drivers in the automation. For the purpose of our method, 
the basic reliability requirements from the Space Station Systems Def- 
inition Book 5 (Ref 9) is cited as an example of the level of details 
available during Pre-Phase-A and Phase-A periods. The excerpts from 
this document are given in Table 7. 1.2-2. 

Define all basic design* performance, and mission-operations require- 
ments, including all functional interfaces with other subsystems and 
experiments . 
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Increasing Difficulty and Cost 



jf; 



7-7 


Table 7. 1.2-2 Excerpts from Space Station Book 5 on Reliability 


Requirements 

The basic reliability requirement for the EPS is redundancy. The redundancy 
requirement is that the EPS shall be designed to be fail operational/fail 
safe as a minimum (except primary structure and pressure vessels) during all 
operational phases (except assembly and maintenance or repair, all subsys- 
tems shall be designed to be fail safe as a minimum. 

Applicable Technology/Readiness Assumptions 

The intent here is to discuss reliability technology and assumptions appli- 
cable to EPS tradeoffs. Assumptions applicable include: (1) Safe opera- 

tion of Space Station can be assured by an integrated reliability-maintaina- 
bility approach, (2) Reliability-maintainability must be an integral part 
of the design, development, test, and operation of each subsystem. Technol- 
ogy applicable includes: (1) hardware redundancy (i.e., replication of sub- 

system and systems), (2) functional redundancy (i.e., nonidentical subsys- 
tems and systems which satisfy common functional requiremental, and (3) 
higher design margins (i.e., safety factors, high reliability parts). 
Tradeoff studies of individual subsystems will address reliability-maintain- 
ability and safety requirements in arriving at optimum choices between tech- 
nical options, costs, and performance. 

Issues and Trades 

A viable reliability-maintainability design approach for Space Station 
through trade studies will be required early in the program. Limitations on 
time to restore equipment and on resupply due to failures must be evaluated 
from the standpoints of reliability, maintainability, safety, and 
performance. 

The basic concept of Space Station long life (10 years to indefinite) with 
continuous operation has a significant impact on long life technology. Some 
conclusions can be drawn form the basic reliability requirements from Book 
5. Redundancy is a basic requirement. Therefore, redundancy management 
will be a major automation task. A question about redundancy is, shall the 
redundant unit be operating continuously or shall it be in the standby mode 
only. A problem to be faced in redundancy management is accessing the 
state-of-health of a nonoperating redundant unit. 

When autpnomy requirements are added to the redundancy requirements a burden 
is placed on the subsystem designer to assure the system's reliability is 
increased and not degraded by the addition of redundancy. Redundancy should 
not be used as an excuse for making the nonredundant element as reliable as 
possible. 

The reliability requirements will drive significant trade studies in the 
automation assessment area, there are questions of how to implement redun- 
dancy. Shall redundancy be at the piece part level, and level within an as- 
sembly, the assembly (black box level) or at the subsystem level. The im- 
plementation of redundancy will set the level that faults can be detected 
and corrected. 



V , 



X:?vX 
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7.1.3 Step 3 - Define Faults and Impacts 


Obtain Information from Task 2 Output - Use the study area defined in 
Step 1 and obtain the list of faults and impacts from Task 2 results. 


Analyze Fault-Correction Options - This is the point where the subsys- 
tem designer can introduce the reliability requirements to generate a 
trade study on the fault-correction options. Table 7. 1.3-1 is a list 
of reliability and redundancy question to be considered by the subsys- 
tem designer. 


Table 7. 1.3-1 Reliability and Redundancy Questions 


Hardware Redundancy 

What Level? 

- Piece-Part 

- Board Level in Black Box 

- Assembly 

- Subsystem 

Operating State 

Continuous Operating 

- Standby Nonoperating 

Block Redundancy Implementation 

- Block Size 

- Number of Blocks 

- Redefine Impact Assessment for Each Successive Block Failure 
Functional Redundancy 

- Can Nonidentical Assemblies or Subsystems Be Used to Satisfy Com- 
mon Functional Requirements? 

- Increase Design Margins 

Investigate the Possibility of Increasing Reliability by Increas- 
ing Design Margins in the Following Ways: 

- Increase Component Derating Factors 

- Decrease Max Allowed Semiconductor Junction Temperatures 

- Move Stringent Piece-Part Screening and Burn-In 

- More Rigorous Worst-Case Analysis 


It is likely that there will be Space Station-Level requirements in the 
above areas. It is also unlikely the subsystem designer will be able 
to have much impact in the above areas, but he should be aware of them. 
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Categorize Faults - Two categories can be used for faults: 


1) Class I -■ Mandatory correction; 

2) Class II - Correction not mandatory. 

From the need to eliminate single-point failures and the requirement 
for redundancy, one might conclude that it is mandatory to correct all 
failures and the correction of "not mandatory" to "correct" faults is 
superfluous; however, there may be low-priority functions that will 
only be required to fail safe rather than fail operate. Owing to the 
capability of onorbit maintenance and resupply, some types of faults 
could assign a fail-safe category, and correction would be by mainten- 
ance rather than by redundancy switching. One possible class of fail- 
safe faults could be low-priority user loads that would be provided by 
only nonredundant switching and fusing. 

This is an area for the subsystem designer to consider — faults where 
correction is not mandatory — but it is likely the vast majority of 
faults will require mandatory correction. 

For the automation-assessment studies, it is recommended all faults be 
considered Class I (correction mandatory) unless convincing reasons can 
be found to classify a fault as Class-11 (correction not mandatory). 

7.1.4 Step 4 - Determine Automation Candidates, Benefits, and Categories 

Automation Candidates and Benefits - Identify the automation candidates 
and benefits from the output of Task 3. 

Prioritize Automation Candidates - At this point, the level of autonomy 
of the spacecraft can be introduced to prioritize the automation candi- 
dates identified from the output of Task 3. a possible set of priority 
rankings is shown below: 
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1) Machine autonomy required; 


2) Some machine autonomy, but human Involvement required; 

3) Not practical to automate. 

The task for the subsystem designer is now to go through the automation 
candidates and prioritize them using the level of autonomy from Step 2. 

7.1.5 Step 5 ~ Partition Automation Based on Level of Autonomy 

Get Automation Partitioning from Task 4 Output - Use the detail study 
area defined in Step 1 to obtain the automation partitioning for that 
area from Task-4 output. 

Use Level of Autonomy to Partition - The subsystem designer can use the 
level of autonomy of the spacecraft to complete the partitioning of 
automation functions between the spacecraft and the ground. As an ex- 
ample, if level 4 is the level of autonomy being studied, this would 
require fault detection and safing to be on the spacecraft, but fault 
correction to be on the ground. If the autonomy level were to be 5, 
the fault correction function would move from the ground to the space- 
craft to satisfy the autonomously fault-tolerant requirements for au- 
tonomy level 5. 

7.2 METHOD VALIDATION - EXAMPLE 1 

7.2.1 Step 1 - Define Study Area 

Fault detection, safing, and correction for dc-dc converters (P3 type). 

7.2.2 Step 2 - Define Inputs 

1) Autonomy level of spacecraft — autonomy Level 5, the spacecraft is 
to be autonomously fault tolerant; 
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2) Reliability requirements — as an example, use Section 7.8, "System 
Safety, Reliability, and Quality Approach," Space Station Systems 
Definition, Book 5 (Ref 9) . 

3 

3) Define the basic functional requirements of P and EPS. 

7.2.3 Stepl 3 - Define Faults and Impacts 


Identify Faults and Impacts (Table 7. 2.3-1) - The subsystem designer 

3 

can go to Section 4.3 to obtain the list of P failure modes and op- 
erational Impacts. 


Table 7.2.3-i P 3 (DC/ DC Converter) Failure Modes and Impacts 


Failure 

Mode 

Cause 

Effect 

Operational 

Impact 

V 0 ut Hi 

Shorted pass transistor. 
Failed OV Sensor. 

Damage loads. 

2 


Shorted pass transistor. 


C 

(Corrected) 



0 

Low Output 
Power 

Control circuit failure. 

Partial Loss of 
power. 

3,4 

Efficiency 

Filter capacitor leakage, 
pass transistor switching 
loss increase, saturation 
voltage increase. 

Assembly overheats. 

. 

4 

Vln Hi 

System anomaly. 

Assembly may fail. 

4 

*In Hi 

Hi-leak input filter 
capacitor. 

Assembly overheats. 

• 

4 

Hi Temp 

Thermal system failure. 

Assembly overheats. 

4 

iOut 

Overload 

Component degradation, 
load fault, or overload. 

Output overloaded. 

4 
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Analyze Fault Correction Options - In this step, the subsystem designer 
can use the reliability requirements being used in the study to gener- 
ate a fault-correction-options list for each of the faults identified 
in Section 4.3. The obvious fault-correction option is to provide 
block-redundant dc/dc converters. Block-redundant dc/dc converters 
will be required. The question that may not be answered in this study 
is the number of converters required and the amount of redundancy, un- 
less subsystem and component reliability allocations (e.g., 0.965) are 
available . 

A summary of the fault-correction options is shown in Table 7. 2. 3-2. 

For each dc/dc-converter failure mode and cause, there is a list of 
fault-correction options. One option that does not show explicitly in 
Table 7. 2.3-2 is the operational state of the block-redundant convert- 
ers. A question that must be resolved by the subsystem designer is. 
Shall the redundant units be nonoperating standby, or shall all the 
units be operating? Some of the problems involved in operating-ver- 
sus-nonoperating block redundancy are as follows. It is difficult to 
determine the state of health of nonoperating units. The control could 
be made more complex to force a rotation of units from nonoperating 
standby to primary operating to &e able to check the state of health 
and its performance trend. An advantage of nonoperating standby is 
that if there were a fault that propagated and failed all operating 
units, the standby would still be available. The advantage of having 
an operating redundant unit is minimum response time to correct a 
failed unit. Disadvantages of operating redundant units are inability 
to operation them at maximum efficiency and the possibility of a fault 
propagating and failing all the units connected to a dc bus. 

Categorize Faults - There are two fault categories: 

1) Mandatory correction (Class I); 

2) Correction not mandatory (Class II). 
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Table 7. 2.3-2 Fault Convection Options 


Failure Mode 

Cause 

Fault Correction Options 

^Out 

Shorted series 
pass transistor. 

. 

- Series, redundant pass transistors 
consider control complexity increase, 
decreased efficiency. 

- Shunt regulator required on bus to 
detect and blow P^ input fuse. 

- Change to transformer-coupled 
configuration. 

- N-block-redundant dc/dc converters. 

Low P 0ut 

Control-CRT failure. 

- Selective piece-part redundancy. 

Efficiency 
out-of spec 

Switching-transistor 
loss excessive. 

- Periodically calculate efficiency 
and limit check. 

low 

filter-cap leakage. 

- Switch to standby and use as backup. 

V In High 

System anomaly. 

- Detect and safe by turning converter 
off. 

- Add system-software redundancy to 
prevent from happening. 

I In High 

Filter-cap leakage. 

- Refer to hardware designers for pos- 
sible hardware fix. 

- Periodically calculate and limit 
check. Remove converter on limit 
violation. 

High 

Thermal subsystem 

- Add redundancy to thermal subsystem. 

Temperature 

failure. 

■ 

- Modularizes thermal subsystem to 
preclude total failure. 

- Ensure that there is sufficient ther- 
mal mass in converter to make a slow 
failure (seconds to minutes) to have 
response time. 

- Priority load shedding from overtem- 
perature converter. 

- Priority load transfer to a standby 
converter. 

■ 

I()ut 

Load faults, 

- Fuse all loads. 

Overload 
— . — — - — — 

component 

degradation. 

- Provide active current limiting for 
each load. 

- Monitor load Z and remove high-cur- 
rent load. 

- Periodically monitor loads on bus to 
ensure that there is adequate margin 
from converter for fuse clearing. 

- Make converter overload tolerant. 
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Inspecting the failure modes from the output of Task 2 for the dc/dc 
converter, it appears than an efficiency fault could be classified II 
(correction not mandatory), provided the heating did not exceed shut- 
down limit. Operation with nonoptimum efficiency would be possible. A. 
possible strategy would be to switch the low-efficiency unit to a non- 
operating-standby status and then use it only in the event the main 
unit failed. Even though the low-efficiency fault could be classified 

II, it is considered mandatory to periodically access the state of 
health and check the efficiency. 

Except for low efficiency, which can be classified II, all other dc/dc 
connector faults from the output of Task 2 are classified I (mandatory 
correction) because if they were not corrected, they would result in 
loss of power to user loads. 

7.2.4 Step 4 - Define Automation Candidates 

1) The subsystem design EP can go to Section 5.2 to obtain the list of 
automation candidates and benefits for dc-dc converters (see Table 
7. 2. 4-1). 

2) Prioritize t'hs automation candidates - classify automation candi- 
dates in the following three categories? 

a) Machine autonomy; 

b) Some machine autonomy, but human involvement may be required; 

c) Not practical to automate. 

Inspecting the dc-dc-converter automation candidates of Table 7. 2. 4-1, 
they are all practical to automate; therefore, none are classified 

III. Further checking of the automation candidate of Table 7. 2, 4-1 
leads to the conclusion that human involvement is not required; there- 
fore, none are classified II. Because categories II and III have been 
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ruled out, then all of the dc-dc converter automation tasks are classi- 
fied I. What this means is that machines can be used to perform the 
automation tasks of detecting, safing, and correcting the faults asso- 
ciated with a dc-dc converter. 


Table 7. 2.4-1 

Da/Da Converter, P 3 Type Failure Modes , Automation Candidates and 
Benefits 


Failure 

Mode 

Automation 

Candidate 

Method 

Benefits 



Shorted Series- 
Pass Transistor 

l, 2, 3 

Detect overvoltage and 
close shunt switch. 

1, 2, 4.5, 
4.6, 6, 7, 
15 

Low v Out 

X, 2, 3 

Sense Vq U £. When valid 
undervoltage, prior and 
load sheet and bus test. 
Determine P^ good/bad. 
Determine Vj a good/bad. 
If P^ bad, switch in 
backup, priority load 
connect. If P^ good, 
source overloaded, limit 
loads reconnected. 


Efficiency 

Below 

Acceptable 

cn 

A 

CM 

H 

Switch backup on line, 
use low-efficiency one 
as standby. 

3, 5, 7, 8 

V In High 

1, 2, 3 

Monitor Vj n . P^ 
shutdown on Vj n Hi. 
Shift loads to another 
P^,, or add loads to one 
with Vj n c 

2, 6, 7, 15 

.. . • 

" 

Iln High 

1, 2, 3 

Priority load-shed, then 
if still failed, switch 
off and bring on backup. 


High Internal 
Temp 

1, 2, 3 

Monitor temps, shutdown on 
overt emp. Bring backup 
online. Priority load add. 


lout Overload 

1, 2, 3 

Monitor Iout> compare to 
limit, support for pro- 
grammed time, turn off 
pause, restart. 
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7.2.5 Step 5 - Partition Automation Task 


The subsystem designer can go to Section 6.1 and obtain the list of 
automation partitioning done without regard to spacecraft level of au- 
tonomy. The dc-^ converter automation partitioning is given in Table 
7. 2. 5-1. 

If a level of autonomy is defined at the Space-Station level, the par- 
tition would be driven by it. For this demonstration, a level of au- 
tonomy of 5 for the spacecraft was chosen in step 1, The primary mean- 
ing of a level 5 is that the spacecraft shall be autonomously fault 
tolerant and shall do fault correction without ground involvement. To 
satisfy the requirement for autonomous fault tolerance and fault cor- 
rection without ground intervention, all of the converter activities 
must be performed onboard the spacecraft. 

7.2.6 Summary of Dc/Dc Converter Automation Assessment 

Correction options in addition to block-redundant converters were con- 
sidered. The low-efficiency fault may not be mandatory to correct if 
shutdown temperatures are not exceeded. All other converter faults are 
classified "mandatory correction. " 

All of the converter automation candidates identified must not require 
huma\n intervention and should be done by machine. If station-auton- 
omy-level 5 is used, it can be concluded that all functions should be 
done onboard the space station and not on the ground. It is still the 
responsibility of the subsystem designer to decide which fault-correc- 
tion options to implement and to justify the final partitioning between 
the EPS and system onboard the space station. 

The partitioning of automation functions between the ground or the 
spacecraft is a basic system-design decision. This method illustrates 
a method of partitioning if a level of autonomy of the spacecraft is 
given. Use of the high-level autonomy requirement provides a means of 
tracing the automation partitioning as well as the function-automated 
space station system requirements. 
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7.3 


METHOD VALIDATION - EXAMPLE 2 


7.3.1 Step 1 - Define Study Area 

Determine a method of extending cable life on a space station through 
the application of automation. 

7.3.2 Step 2 - Define Inputs 

1) Autonomy Level of Spacecraft: Level 5; 

2) Reliability Requirements: 

Use Section 7, 8, System Safety, Reliability, and Quality Approach 
of the Space Station Systems Definition, Book 5, First Edition, 

November 1982; 

3) Define the basic functional requirements of the cable bundle in 

question. % 

7.3.3 Step 3 - Define Faults and Impacts, and Analyze Corrective Actions 

Faults and Impacts - The faults and impacts for cable are summarized in 
Table 7. 3. 3-1. Note that insulation can be degraded by overtemperature 
condition; cable overtemperature can have numerous causes such as too 
many wires in a bundle, excessive power transfer, or insufficient 
heat-sinking. A contributing cause to not detecting and correcting the 
overtemperature problem can be a lack of temperature monitoring inter- 
nal to a cable-bundle assembly. The impact is a loss of fault-manage- 
ment capability. In the context of this study, there would be other 
impacts, namely: 

1) Decreased operating power margins; 

2) STS resupply mission; 
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3) Onorbit maintenance; 


4) Crew safety. 


Table 7. 3. 3-1 Cabling Failures/ Activities and Impacts 


Failure or Activity 

. 

Effect 

• 

Cause 

Operational 

Impact 

Cable Opens 

Loss of power or 
signal to user 
equipment. 

Connector 

Fault 

3,4 

Wire-to-Return 

Shorts 

Loss of power or 
signal to user 
equipment. 

Insulation 

fault. 

3,4 

Wire-to-Wire 

Shorts 

Loss of power or 
signal to user 
equipment. 

Insulation 
fault . 

3,4 

Insulation 
Degradation 
Due to Overtemp 

hone. 

Lack of 
monitoring. 

5,6 

Thermal Subsystem 
Failure 

Increase cable temp, 
decrease allowable 
power through a 
cable. 

Failure in 

another 

subsystem. 

4,6 

Modular Buildup 

Miswiring; open 
wires. 

Inadequate 
interface 
design or 
assembly 
procedure. 

4,6 


Analyze Fault-Correction Options - At this stage, the subsystem design- 
er can study the fault-correction options. The first option is to in- 
crease the reliability so that monitoring is not required. Ways to in- 
crease reliability are to develop higher-temperature insulation; put 
fewer cables in a bundle to limit cable-temperature increases; heat- 
sink the cables; match the sources, loads, and cables to make it physi- 
cally impossible to drive a cable overtemperature in the worst case; 
and increase the reliability of the power-dispatch software to reduce 
the probability of a cable going overtemperature. This option study 
provides a formal way for the subsystem designer to perform trade stud- 
ies to increase cable reliability. 
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The next option the subsystem designer can study is the use of block 
redundancy by adding cables. Questions to be considered are: How much 

redundancy? Should it be operating or nonoperating? Other questions 
relate to redundancy level. Should the cables, including connectors, 
be redundant? Should the insulation be made doubly redundant, or 
should the wires in a cable be made redundant? Are there different 
routes for redundant cables? It is necessary to ensure that there is 
no mechanism that could damage both the primary and the redundant cable? 

The above fault-correction options were included to focus on some of 
the reliability studies that the subsystem designer could perform to 
lay a foundation for meeting reliability requirements. The subsystem 
designer could use the above studies to decide if the probability of a 
cable overtemperature is high enough to warrant installing and monitor- 
ing the temperature detectors in the cable assembly. 

Categorize Faults - There are two fault categories: 

1) Mandatory correction; 

2) Correction not mandatory. 

Inspection of the faults in Table 7. 3. 3-1 leads to the conclusion that 
cable overtemperature may be classified as II for temperatures below 
immediate failure if decreased cable life is preferred over higher op- 
erating temperatures. If cables must not operate above a temperature 
threshold, all of the faults are classified I (correction mandatory) 
because failure to correct would violate the no-single-point-failure 
criteria. 

7.3.4 Step 4 - Define Automation Candidates and Benefits 

The list of cabling failure modes and automation candidates and bene- 
fits is given in Table 7. 3. 4-1. 

The set of automation priority categories is shown below. 
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1) Machine autonomy required; 

2) Some machine autonomy, but human involvement required; 

3) Not practical to automate. 

It is practical to automate all cable fault correction, except correc- 
tion of faults due to station modular buildup. Detection and safing of 
cable faults is possible, but correction of the underlying modular 
buildup problem is not practical to automate without a definite design. 

The thermal subsystem failure could be classified a IX (some machine 
autonomy, but human involvement required). The reason is that a 
thermal-subsystem failure may be classed as a high-level unsafe condi- 
tion that will require human involvement. It is expected that machine 
autonomy would be provided for cable fault detection, safing, and cor- 
rection, but human involvement would be required in correcting the un- 
derlying thermal subsystem failure. 

The cable-open, short, or overtemperature failures are classed as I 
(machine autonomy required), because it is practical to have a computer 
detect, safe, and correct these faults. 

7.3.5 Step 5 - Automation Partitioning 

Correction tasks for the cable high-temperature and insulation faults 
should be partitioned to the spacecraft and not to the ground. A. cable 
fault caused by modular buildup of the space station has dual parti- 
tioning. Electrical problems associated with the modular buildup, 
fault detection, safing, and correction, are partitioned to the space- 
craft. For the early stages of the program, it is thought that correc- 
tion of the underlying problems associated with modular buildup are not 
routing problems. It appears highly probable that human involvement 
will be required to resolve modular buildup problems. One study area 
will be to determine where the expertise should be— with the flight 


7-21 


crew or with the ground. A possible conclusion is that the expertise 
should be on the ground to minimize crew training for nonroutine 
operations. 

7.3.6 Summary of Cable Automation Study 

The study area was defined as how to extend cable life through automa- 
tion. Fault-correction options include: 

1) Use of high-temperature insulation; 

2) Fewer cables in a bundle; 

3) Heat-sink cables; 

4) Match sources, cables, and loads to make it Impossible to drive a 
cable overtemperature; 

3) Load management; 

6) Block-redundant cables; 

7) Double insulation; 

8) Multiple wires for cable; 

9) Different physical routing for redundant cables; 

10) Monitor critical cable bundle temperatures and provide appropriate 
control. 

A cable-overtemperature fault may not be mandatory to correct if it is 
decided to trade cable operating life for cable temperature. Other- 
wise, all cable faults defined are classified as "correction mandatory. 
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Problems arising from modular buildup are considered nonroutine, and 
their correction activities will likely be partitioned to the ground 
early In the program. All other automation activities were partitioned 
to the space station. 


8.0 ARTIFICIAL INTELLIGENCE (AI) TECHNOLOGY AND ITS ROLES 


8.1 AI TECHNOLOGY 

Artificial intelligence is that branch of computer science concerned 
with the design and implementation of programs that make complicated 
decisions, learn, or become more adept at making decisions, interact 
with a man in a natural way, and, in general, behave In a manner typi- 
cally considered the mark of intelligence. 

Intelligence is to be understood not as a property that, for example, 
gifted mathematicians possess, but rather as a property all men and 
some animals possess. Intelligence, in this sense, is the ability to 
understand and process large amounts of information. It is the ability 
to meet and cope with novel situations, to comprehend the interrela- 
tionships between facts and concepts , and to generate new concepts and 
relationships from those already known (i.e., already in the data 
base) . The artificiality of the intelligence means merely that the in- 
telligence is achieved by means of technology. 

Scientific research done in AI covers a large area of theoretical 
topics such as knowledge representation, knowledge acquisition, problem 
solving and search, vision, theorem proving, and natural language. 
Though each one of these topics can be researched from the human-abil- 
ity perspective, i.e., by asking how a man represents knowledge, ac- 
quires knowledge, solves problems, sees objects, communicates, etc, 
researchers in AI are concerned with implementing the given ability in 
computers . AI is not only a theoretical enterprise , it has definite 
and robust applications. The primary concern in the applications arena 
is the design and implementation of expert systems and natural language 
interfaces. 

Aside from the general scientific curiosity of wondering how to design 
and implement a computer program that learns, what advantages might 
obtain from the application of AI? Specific examples cited below are 
some rather broad, obvious ones. 
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1) Augmenting our ability as humans to come to grips with the enormous 
and increasing amounts of Information that we are generating ; 


2) Increasing the efficiency in man/machine interfaces (the ability to 
communicate with a computer in English) enables humans to get more 

work done and obviates the need for specialists in those hard-to- | 

use formalisms known as modern computer languages and data-base r 

query languages; f 

?! 

I 

3) Creating systems (such as space vehicles) that can make crucial 

ii 

decisions on their own when they have to; jj 

; ft 

jj 

4) Decreasing the effect of such human problems as forgetfulness, jj 

0 

fatigue, and emotional turmoil; M 


I: i 

5) More rapid problem solving, and strategic and tactical planning, in 

H 

a wide variety of domains. tj 
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An expert system is an intelligent computer program that embodies the 
knowledge of human experts in a particular domain of expertise. Expert 
systems recognize situations, derive conclusions, make decisions based 
on what they recognize, and recommend corrective and directive ac- 
tions. All of this is done with a competence comparable to that of 
human experts. Figure 8. 1.1-1 illustrates the basic components of an 
expert system. It contains a knowledge base, a rule base, and an in- 
ference engine. The knowledge base (sometimes called working memory) 
stores the information (data) on which the expert system operates. The 
knowledge base is constantly updated as data are added or deleted. The 
rule base is the component that gives the expert system its expert com- 
petence — that is, the ability to make decisions, recommend actions, etc. 
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Figure 8. 1.1-1 Basie Components of an Expert System 


Rules are of the form: 


IF conditions A, B, and C are true, THEN perform actions X and Y. 


Hence the rules are referred to as condition-action or situation-action 
pairs. 

The inference engine’s job is to execute various rules depending on the 
contents (data elements) of the knowledge base. Conceptually, the in- 
ference engine's algorithm is a search and pattern match. It scans the 
rules, efficiently searching for a rule whose antecedent (the IF part) 
matches the present state of the world, i.e., the facts in the present 
knowledge base. If a match is found, the consequent of the rule (the 
THEN part) is executed. The actions can be anything from querying or 
advising a human user to performing a real-world action, such as up- 
linking commands to a satellite or moving a robot arm, to manipulating 
its knowledge base or rule set and modifying the behavior of the expert 
system itself. 

The rules of the rule set are obtained by interviewing a human expert. 
This is a tricky and involved process because experts cannot just be 
debriefed. Une could not, for example, walk up to a physician and say, 
"Tell me how to diagnose and treat a sick person," and hope to produce 
an expert system. Human experts often are not quite clear about how 
they do the things they do. Rather, the knowledge of their field must 
be ferreted out by someone who knows (or discovers) what questions to 
ask and more importantly, how to ask them. The experts might be given 
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problems and asked how they would solve them, with each step In the 
solution being fully documented. In fact, a step may require posing 
another problem In order to explicate it. Interviewing Is frequently a 
lengthy process, but this is what forms the basis of the expert-system 
technology. Building an expert system Is not possible without an 
expert. 

All of the ability of an expert system stems from Its matching anteced- 
ents and executing consequents. Almost all of an expert system's power 
derives from the depth of understanding and the cleverness of human ex- 
perts captured in its rules. It is also important, however, to develop 
an organizational scheme for the rule set so that efficient searches 
can be obtained, and it is important to have the knowledge base organ- 
ized in a way that allows for rapid access, rapid addition and deletion 
of facts, and, most importantly, the capturing of complex relations 
between facts that make the knowledge base rich. 

Ihe problem of knowledge-base organization is referred to in the arti- 
ficial intelligence community as knowledge representation. Probably 
the most favored basic approach to knowledge representation is the di- 
rected graph. But the variations on this theme are numerous, and there 
is some controversy as to which variation is "correct." At stake, it 
is believed, is not merely an implementational formalism detail, but 
the deriving of a representation that gives (1) the right facts in the 
world, and (2) the right relationships between the facts. 

Expert systems are designed for, and are most useful in, areas that 
heretofore relied only on the judgment of human experts — that is, in 
areas where the problems to be solved are complex, not easy to delimit, 
and require the use of high-level judgments and evaluations of situa- 
tions. Thus, expert systems are not designed, or intended, to replace 
all problem-solving software. Many problems require algorithmic solu- 
tions, but many do not; those that do not require experts to evaluate 
and assess situations and then make judgments based on these assess- 
ments. Expert systems exist because such evaluations and judgments can 
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be transformed into rules and then implemented in a programming 
language , 

Another feature that expert systems exhibit that increases their via- 
bility is that the rule set can be thought of as data — that is, as part 
of the knowledge base. This enables the expert system to alter the 
rules of the rule set in various ways. Under some circumstances, it is 
possible to view this alteration of the rule set as learning! some ex- 
pert systems have this feature and do become more adept at decisionmak- 
ing. This learning feature is obviously very desirable, and although 
the technology involved is not yet commensurate with that for deducing 
and inferencing in expert systems, it is only a matter of time before 
expert systems incorporate some degree of learning. 

8.1.2 Natural Language Interface 

It is usual to^have a natural language interface to facilitate the use 
of the expert system. A natural language interface is a computer pro- 
gram that allows an end user to interact with an application^ program 
using a "natural” language such as English rather than special menus or 
special-purpose languages such as FORTRAN for programming, RAMIS for 
data-base queries, or JOVIAL for command and control. A key advantage 
to using a natural language interface rather than a more conventional 
interface is ease of learning and use. Because English is used, no 
special languages must be learned. Because its use is an extension of 
a person's normal communication skills, a natural language interface 
can often be a highly effective way to interact with a computer program 

The appropriateness of a natural language interface in a given domain 
is a human factors question; How much will such an interface simplify 
the activity of the end user? The answer turns on several issues. 
Foremost is the range of interaction the user will have with the com- 
puter program. As noted above, a major difficulty with conventional 
interfaces is that they often have highly rigid formats and require 
substantial training. The larger the interactions, the longer the 
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training period and the more difficult it is to remember the specific 
format required for a particular interaction. When there are only a 
few interactions (or types of interactions), the more conventional in- 
terface might be more appropriate. 

The more complex the program the user is working with, however, more 
likely is the user to want greater interface with the computer pro- 
gram. For many automation activities, the program will be an expert 
system with a wide variety of capabilities. The wider this variety, 
the more desirable a natural language interface. Users do not have to 
learn intricate, easy-to-forget aspects of a special-purpose query or 
command language. In simply knowing what the system can do, a user can 
couch a command or query in English and let the system figure out how 
to respond. 

This flexibility is quite important. Menu-driven interfaces have a 
certain amount of this flexibility also. A sophisticated, well-de- 
signed menu system can sometimes be used by individuals who have no 
training for that menu, especially if they have experience with other f! 

menu systems. With no training for a particular menu system, however, 

"solving" the menu — determining what commands are in which layer of the 
menu hierarchy — can be tedious and time consuming. Once the menu is 
known, the layering of menus can become more of an obstacle than a fa- 
cilitator. Some menu systems attempt to overcome this obstacle by al- 
lowing experienced users to type in the commands directly without wad- 
ing through the menu. Unfortunately, this solution is really just a 
special-purpose interaction language with many of the same problems as 
discussed above. It Is, however, better than having only a standard 
special-purpose language because the users can fall back on menus if 
the special commands are forgotten. 

Natural language interfaces resolve the problems of forgetting and hav- 
ing to "solve" the menu. Users never need to learn a menu or a special 
language; with no special training, users can interact with the system 
with the same English they use for everyday communication. These "or- 
dinary" language skills can be immediately transported from system to | 
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system as special-purpose language skills cannot. Highly sophisticated 
natural language interfaces are also able to train the user in the ca- 
pabilities of the end system, eliminating the need for highly detailed 
knowledge of what the system can do before sitting down to use it. 

An occasional argument against natural language interfaces is an al- 
leged loss of efficiency — it takes too long to type complete, grammati- 
cal sentences. Once learned, it is claimed, a special — purpose lan- 
guage is much faster and easier. However, the ideal natural language 
Interface would be able to understand English with all the grammatical 
errors, incompleteness, and inaccuracies found in everyday use. A 
great deal of work presently is being done in these areas, and signifi- 
cant progress has been made. When continuous speech recognition is 
perfected — probably sometime in the next few years — the obstacle of 
needing to type will be eliminated. At that point, the utility of nat- 
ural language interfaces will far outstrip that of more conventional 
interfaces for a vast portion of applications. 

Expert System Status - Expert systems have existed since 1965 when 
DENDRAL was introduced. DENDRAL infers the molecular structure of com- 
pounds from their spectrogram data. In 1974, MACSYMA was built. 

MACSYMA is an expert system that does symbolic manipulations of mathe- 
matical expressions. Also in 1974, MYCIN was completed. This expert 
system is perhaps the most famous: it provides diagnoses and prescrip- 

tive advice to physicians treating patients with blood-related dis- 
eases. All of these expert systems (and there are many more) are being 
used today either in research tasks designed to test their total capa- 
bilities or in narrowly confined aspects of industry. However, an ex- 
plosion of new applications presently is underway throughout industry 
and the universities. Within the next decade, expert systems are ex- 
pected to move out of the laboratories and become increasingly involved 
in human affairs. In fact, in 1981, R1 was installed for commercial 
use by Digital Equipment Corporation for configuring their VAX-11 com- 
puter systems. 
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8.2 CRITERIA FOR IDENTIFYING EXPERT-SYSTEM SOFTWARE CANDIDATES 

A given candidate for automation warrants considering an expert system 
approach if: 

1) For potential control application, non-real-time processing or very 
slow response is required; 

2) Automating the given activity requires processing large amounts of 
information that are available in random fashion; 

3) The processing involved requires nonalgorithmic and heuristic pro- 
cedures. In fact, for some activities, there may be no algorithmic 
procedures, at least not to anyone's knowledge; 

4) The automation activity needs, or results in, a high-level decision 
(e.g., one that affects several spacecraft subsystems); 

5) The software responsible for automating the given activity will be 
frequently modified as a result of the dynamic influences of its 
environment or as a function of time. 

Another discriminator to identify automation tasks for expert systems 
is complexity and how the tasks have been performed in the past . Sim- 
ple tasks that are well understood ^nd have algorithmic solutions are 
not good candidates for expert-system solution. The expert-system so- 
lution could be an overkill. If the task Ic complex enough that in the 
past it could only be performed by a recognized expert, or group of 
experts, then the task is a good candidate for automation by expert- 
system software. 

8.3 POTENTIAL ROLES OF THE EXPERT SYSTEM IN POWER SUBSYSTEM AUTOMATION 

Several power-subsystem and space station system-related functions 
appear to be in the domain of the expert system, and thus are good can- 
didates for an indepth evaluation of expert-system software applicabil- 
ity. Table 8.3-1 is a list of these functions. Note the level of 
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complexity in electrical consumables management and battery-opera- 
tions-management tasks. It is also emphasized that algorithmic and de- 
terministic software modules are involved, along With expert system 
module, in many of the potential applications. This simply means that 
even if expert system approach is used, there is a large amount of en- 
gineering algorithm development and validation efforts. 

Table 8.3-1 List of Potential Expevt System Candidates 


Function 


Electrical Consumables Management 

- Power Capability Determination 

- Load Profile Determination 

- Load Shifting and Shedding Analysis 

- Energy Balance Calculation 

- Load Sequence Control and Load Command Generation 

- Power Subsystems Reconfiguration 

- Power Subsystem State Determination 

Battery-Operations Management 

- Battery Cell/Module State of Health Determination 

- Battery SOC Trend Analysis 

- Battery Loadsharing Analysis and Control 

- Battery Recharge Fraction Adjustment Analysis and Control 

- Battery Cycle Life Analysis 

Performance Trend Analysis 

- All Major Components 

Fault Detection and Diagnosis 

- All Major Components 

Anomaly Analysis 


8-9 






9.0 CONCLUSIONS AND RECOMMENDATIONS 

The significant conclusions and recommendations of the study are as 
follows : 

1) To meet basic station objectives and goals presently defined in the 
NASA Space Station Definition Book, all power subsystem automation 
candidates defined in this study, except for anomaly handling, must 
be implemented to a varying degree of automation. 

2) Specific functions that have immediate high payoffs for onboard 
applications are: 

a) Data Acquisition, Processing, and Storage, 

b) State of Health Monitoring, 

c) Built-in Test and Checkout, 

d) Fault Detection, Isolation, and Correction, 

e) Performance and Trend Analysis, 

f) Integrated Array/Battery Controller and Load Management (Space 
Station Level), 

g) Electrical Consumables Management (Space Station Level). 

Automation of any combination of the above functions (a through g) 
will have a significant beneficial effect on mission-operations 
efforts on the ground. A detailed study is recommended to deter- 
mine the effects of onboard automation of monitoring functions on 
ground activities such as failure detection, consumables manage- 
ment, and crew and flight-controller training. 
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3) A key driver in when and what to automate in the subsystem is 
spacecraft autonomy level, which must be defined at the program 
level. 

4) The best way to partition an automated activity between the EPS, 
spacecraft system, and ground is to first define each subtask re- 
quired to be performed, and then assign each subta/3k to EPS, sys- 
tem, and ground, in terms of: 

a) Sensing, 

b) Analyzing, 
z) Acting. 

5) real-time control consideration, the principal driver in hard- 
wired-versus-software (i.e., using digital computer) trade is the 
speed requirement for implementing that control function. There- 
fore, in general, all offline or non-real-time tasks such as moni- 
toring, performance analysis, and fault diagnosis that require slow 
response and are not in the control loop, can be done with a digi- 
tal computer. 

6) The best onboard-application candidates for expert systems for any 
of the power automation functions appear to be for electrical-con- 
sumables management and battery-operations management. Potential 
ground applications are in non-real-time fault assessment and mis- 
sion planning. An indepth research investigation is desirable and 
highly recommended to determine: 

a) The range and domain of its applicability to power-system con- 
trol functions; 

b) Adequacy of AI language for onboard use; 
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c) Computer hardware (speed, memory) required to support expert- 
system software. 

7) A significant effort in engineering-algorithm development and vali- 
dation is essential in meeting the 1987 technology-readiness date. 
There are many implementation approaches to each automation func- 
tion because they are done by software. Thus, future efforts in 
.algorithm development must include optimization processes with sim- 
plicity and reliability in mind. It should be emphasized that al- 
gorithm development also is necessary to permit a detailed design 
of any expert-system software such as that for electrical consum- 
ables and battery management. 
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APPENDIX A 


STATEMENT OF WORK 

A. The contractor shall provide the necessary personnel and facilities 
to conduct the required studies and perform appropriate assessments and 
trade-offs to define and establish the automation technology required 
to support a multi-hundred KW electrical power subsystem for a space 
platform or space station. This study effort will not rely on a speci- 
fic reference design but will be more generic in nature. Consequently, 
the study must include a broad characterization of subsystem parame- 
ters, functions and operational scenarios. 

B. Specifically, the contractor shall perform the following tasks: 

Task 1. Characterize and classify a generic electrical power subsystem 
based on a conceptual system block diagram(s) that Includes a defini- 
tion of the functions, characteristics, voltage types, voltage block 
diagram. This task shall be done for each phase in a mission profile 
(i.e., pre-launch, launch, orbital operations, on-orbit service /raain- 
tenance/resupply, etc.) 

Task 2. Using the results of task // 1, develop a comprehensive list of 
all potential faults and/or activities that could impact the power sub- 
system and prevent it from performing its intended mission. This will 
include such parameters as operational environments, single point fail- 
ures, insufficient redundancy, human error, over-stressed conditions, 
Inadequate protection, inaccurate sensors, etc. 

Task 3. Based on tasks 1 and 2 above, generate a candidate list of 
automation activities that could eliminate and/or minimize the identi- 
fied impacts as well as those activities not related to impacts that 
can provide both a short term and a long term benefit to the power sub- 
system if incorporated. This would include such activities as redun- 
dancy, derating, fault management, shifting burden from man to ma- 
chines, algorithms for management strategies, partitioning of functions 
between the space station and ground, hierarchy control of functions, 
etc. Perform an assessment and trade-offs on all automation activities 
to determine such aspects as range of benefits to be achieved (perfor- 
mance, cost, weight, volume, complexity, etc. ), timeline for implemen- 
tation, system performance improvements, reduced operations burden, re- 
laxed critical measurements (i.e., red line values, limitations, etc.), 
preprocessing of data, flexibility in scheduling, and other similar 
activities that will improve performance, reduce costs, reduce depen- 
dence on manual involvement, increase operational life and reduce the 
overall life cycle cost of the power subsystem. 

Task 4. Partition the automation activities between the power subsys- 
tem, the space station and the ground to maximize the overall configu- 
ration in terms of operations management, information flow, controls 
distribution and system performance. Establish criteria for the parti- 
tioning and generate rationale for the resulting configuration. A com- 
parison of the benefits before and after the partitioning shall be done 
to determine the value of the benefits derived. 
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Task, 5, Develop a system for utilizing all of the Information and data 
resulting from the above tasks to establish a logical ordering of the 
automation activities vs. derived benefits. Benefits begin such ele- 
ments as costs, time, reliability, fault isolation, system protection, 
system recovery, self monitoring and reconfiguration, etc. The end 
product of this task should fe'A in a format such that the requirements, 
characteristics, constraints, values, methods, and other parameters 
that describe introduced and processed to provide a system level engi- 
neering approach to the automation of that power subsystem. In es- 
sence, the resulting system or plan will serve as a "logic flow" meth- 
odology for determining what functions and/or activity shoild be con- 
sidered for automation, what is required to implement the automation 
(options), how do the options compare (cost, complexity, value, etc.) 
interactions with other elements and/or activities, availability of the 
technology, impact on system performance, etc. Therefore, the devel- 
oped system will test the application of automation technology, evalu- 
ate it, provide directions and quantify benefits. Specific examples 
shall be demonstrated to verify the concept. 

GUIDELINES, CONSTRAINTS AND INSTRUCTIONS 

The following are intended to focus the efforts in conducting the tasks 
for this study. 

A. The space station electrical power subsystem is targeted at 250 KW 
and probably modular. The space station is large, in low earth orbit, 
unmanned and manned and has a life of greater than 10 years. 

B. Inputs Involving automation activities at the space station level 
will be provided by the COR. JPL is conducting an "Autonomous Space- 
craft System Technology" task that will define autonomous system design 
requirements, develop system architectures (including partioning of 
functions) and identify enabling and enhancing technology needs. MSFC 
and JPL will coordinate the respective tasks and all inputs from this 
effort (specific partitioning of functions, automation criteria, com- 
mand and control functions, centralized vs. distributed controls, etc.) 
will be provided only through the COR. 
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SIMPLIFIED BLOCK DIAGRAMS OF VARIOUS SPACECRAFT PHOTOVOLTAIC POWER 
SYSTEMS 

This appendix contains simplified block diagrams of selected photovol- 
taic power systems on LEO, medium altitude, and GEO spacecraft. Repre- 
sentative terrestrial and aircraft systems are also included. 
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FLTSATCOM Power Systems, GEO Application (Ref 44) 



Figure B-9 INTELSAT-3 Power System, GEO Application (Ref 45) 
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Figure B-10 INTELSAT-V Power System , GEO Application (Ref 46) 
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Features 

- Integrated Array Bus Voltage and Battery Charge Control via Desk-Top 
Computer (HP9845) 

— Four 120-Cell Lead Acid Batteries, 1.6 MW-h Total 

— 240-Vdc Bus Tied to a Single 300-kVA Inverter 

- 350-kW Point Focus (40X) Silicon Solar Array 

Figure B-ll 

Simplified Block Diagram of 350-kW Photovoltaic Power System 
for Saudi Arabian Villages (Ref 14 3 15) 
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Advanced Aircraft Electrical System 3 270-Vdc Bus, Using Solid State 
Controllers (Ref 47) 
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LEVELS OF AUTONOMY 


(Reproduced directly from Ref 12, pp 125-127.) 

In performance of a space mission, four major policy goal categories 
have been identified. These are: 

(1) Ground interaction reduction. 

(2) Spacecraft integrity maintenance. 

(3) Autonomous features transparency . 

(4) On-board resource management. 


The extent to which these goals have been accomplished to date has been 
through a mix of functions resident in either the space segment or the 
ground segment. Furthermore, the ground segment, as an integral part of the 
total system, has been responsible for accomplishing maintenance, navigation 
mission control, and payload data processing. Thus, only minimal spacecraft 
autonomy has been needed. 

The levels of autonomy described in this appendix are used to define a 
step-wise increase in spacecraft autonomous capability. By proceeding 
through the levels, autonomous capability is increased in the space segment 
and dependency on the ground segment is reduced. 

The levels of autonomy are described as follows: 

Level 0. A design without redundant elements which meets all mission 
needs by operating without the on-board control of state parameters (such as 
rates and position). May respond to a prespecified vocabulary of external 
commands, but cannot store command sequences for future time-or event- 
dependent execution or validate external commands. (An open-loop, on-board 
system controlled from the ground.) 

Level 1, Includes Level 0 but uses on-board devices to sense and 
control state parameters (such as rates and positions) in order to meet 
performance needs. Is capable of storing and executing a prespecified 
command sequence based on mission-critical time tags. Will respond to 
prespecified external commands, but cannot validate external commands. 
Functionally redundant modes may be available for a degraded-performance 
mission. 

Level 2. Include Level 1 plus the use of block redundancy. Ground- 
controlled switching of spare resources is required. Uses cross-strapping 
techniques to minimize effect of critical command link (uplink) failure 
modes. Significant ground-operator interaction is required to restore 
operations after most faults if spare spacecraft resources are available* 
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Requires operator interaction for fault recovery. Is capable of storing and 
executing mission-critical events which are sensed on-board and may be 
independent of time. 


Level 3. Includes Level 2 and is capable of sensing prespecified 
mi ssi on-critical fault conditions and performing predefined self-preserving 
(entering a safe-hold state) switching actions. Is capable of storing 
contingency or redundant software programs and being restored to normal 
performance (maintaining the command link with a single link fault) in the 
event of a failure. Timers may be used to protect resources. Requires 
ground operator interaction for fault recovery. In general, the failure to 
sense and/or execute the mission-critical event(s) will cause mission 
failure or loss of a major mission objective. 


Level 4. Includes Level 3 but is also capable of executing 
prespecified and stored command sequences based on timing and/or sensing of 
mission events. Ground-initiated changes to command sequences may be 
checked on-board for syntactical errors (parity, sign, logic, time). Uses 
coding or other self-checking techniques to minimize the effects of 
internally generated data contamination for prespecified data transfers. 
Requires ground-operator interaction for fault recovery. In general, 
failure to sense and/or execute the mission event(s) or state-changes 
(excluding failure-induced state-changes) will cause mission failure or loss 
of a major mission objective. 

Level 5. Includes Level 4 and is also autonomously fault-tolerant. Is 
capable of operating in the presence of faults specified a-priori by 
employing spare system resources, if available, or will maximize mission 
performance based upon available capability and/or available expendables 
(i.e., self-loading of contingency programs) without ground intervention. 

Level 6. Includes Level 5 and is capable of functional commanding with 
on-board command-sequence generation and validation prior to execution. 
Functional commanding may include a high-level, pseudo-English language, 
spacecraft-system/operator communication and control capability. 

Level 7. Includes Level 6 and is capable of autonomously responding to 
a changing external environment, defined a-priori, so as to preserve mission 
capability. The capability to change orbit in order to compensate for 
degradation or to protect the satellite from an external threat is 
included. 

Level 8. Includes Level 7 and is capable of operating successfully 
within the presence of latent design errors which could cause loss of major 
mi ssion objectives. 

Level 9 . Includes Level 8 and is capable of task deduction and 
internal reorganization based upon anticipated changes in the external 
environment. This situation is exemplified by multiple satellites operating 
in a cooperative mode. In the event of a satellite failure, remaining 
satellites would detect autonomously the condition (task deduction) and may 
generate and execute orbit-and spacecraft-reconf iguration commands. 
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Level 10. Includes Level 9 and is capable of internal reorganization and 
dynamic task deduction based on unspecified and unknown/unanticipated changes 
in external environment. The system will strive to maximize system utility. 
Thus, mission objectives should be adaptive and automatically reprogrammable. 
System resources should be maximized to preserve task adaptiveness. 


